[
https://issues.apache.org/jira/browse/CXF-8913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17755369#comment-17755369
]
Claus Ibsen commented on CXF-8913:
----------------------------------
I wonder if Apache CXF could isolate opensaml in some kind of new cxf module so
its easier to not pull in by default
Currently it looks as if cxf-rt-ws-security is pulling in opensaml. Maybe this
can be split up into a new
cxf-rt-ws-security-saml
[INFO] | +- org.apache.cxf:cxf-rt-ws-security:jar:4.0.2:test
[INFO] | | +- org.apache.cxf:cxf-rt-security-saml:jar:4.0.2:test
[INFO] | | | \- org.apache.cxf:cxf-rt-security:jar:4.0.2:test
[INFO] | | +- org.ehcache:ehcache:jar:jakarta:3.10.8:test
[INFO] | | | \- javax.cache:cache-api:jar:1.1.0:test
[INFO] | | +- org.apache.wss4j:wss4j-ws-security-dom:jar:3.0.0:test
[INFO] | | | \- org.apache.wss4j:wss4j-ws-security-common:jar:3.0.0:test
[INFO] | | | +- org.apache.santuario:xmlsec:jar:3.0.1:test
[INFO] | | | | \- commons-codec:commons-codec:jar:1.16.0:test
[INFO] | | | +- org.opensaml:opensaml-saml-impl:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-core:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-profile-api:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-saml-api:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-security-api:jar:4.2.0:test
[INFO] | | | | | +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test
[INFO] | | | | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.70:test
[INFO] | | | | | \- org.bouncycastle:bcutil-jdk15on:jar:1.70:test
[INFO] | | | | +- org.opensaml:opensaml-security-impl:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-soap-api:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-xmlsec-api:jar:4.2.0:test
[INFO] | | | | +- org.opensaml:opensaml-xmlsec-impl:jar:4.2.0:test
[INFO] | | | | +- io.dropwizard.metrics:metrics-core:jar:4.2.9:test
[INFO] | | | | \- net.shibboleth.utilities:java-support:jar:8.3.1:test
[INFO] | | | +- org.cryptacular:cryptacular:jar:1.2.5:test
[INFO] | | | | \- org.bouncycastle:bcprov-jdk18on:jar:1.71:test
[INFO] | | | +- com.google.guava:guava:jar:32.1.2-jre:test
[INFO] | | | | \- com.google.guava:failureaccess:jar:1.0.1:test
[INFO] | | | +- org.opensaml:opensaml-xacml-impl:jar:4.2.0:test
[INFO] | | | | \- org.opensaml:opensaml-xacml-api:jar:4.2.0:test
[INFO] | | | +- org.opensaml:opensaml-xacml-saml-impl:jar:4.2.0:test
[INFO] | | | | \- org.opensaml:opensaml-xacml-saml-api:jar:4.2.0:test
> Avoid 3rd party maven repository for OpenSAML
> ---------------------------------------------
>
> Key: CXF-8913
> URL: https://issues.apache.org/jira/browse/CXF-8913
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 4.0.2
> Reporter: Claus Ibsen
> Priority: Major
>
> Apache CXF depends on OpenSAML from Apache WSSJ project
> However this commit causes wss4j to download JARs from NOT maven central but
> from
> https://build.shibboleth.net/nexus/content/groups/public
> https://github.com/apache/ws-wss4j/commit/e4a33efcb2b474a1da2b2c08f815b2718e111823
> Is there a way for Apache CXF to only use JARs from maven central. There is a
> trust issue when JARs are NOT downloaded from central.
> At Apache Camel we only download from maven central - except for camel-jira
> which sadly had to download from Atlassian. We are considering deprecating
> and removing this component for that reason.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
