Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Resolved
-
None
-
None
-
None
Description
Shiro currently uses version 1.2.2 of the OWASP, encoder.
The MANIFEST.MF of this version of the encoder lacks OSGi headers, which requires karaf to wrap it when loading the runtime dependencies of shiro:
175 │ Active │ 80 │ 0 │ wrap_file__home_sb_.m2_repository_org_owasp_encoder_encoder_1.2.2_encoder-1.2.2.jar
It would be nice not to have to rely on wrap in karaf, and it does look like version 1.2.3 of the OWASP Encoder has OSGi headers.
Here is the MANIFEST.MF of version 1.2.3 of the OWASP encoder:
Manifest-Version: 1.0 Bundle-Description: The OWASP Encoders package is a collection of high -performance low-overhead contextual encoders, that when utili zed correctly, is an effective tool in preventing Web Applicat ion security vulnerabilities such as Cross-Site Scripting. Bundle-License: http://www.opensource.org/licenses/BSD-3-Clause Bundle-SymbolicName: org.owasp.encoder Built-By: jeremy Bnd-LastModified: 1604861240860 Bundle-ManifestVersion: 2 Bundle-DocURL: https://www.owasp.org/ Bundle-Vendor: OWASP (Open Web-Application Security Project) Tool: Bnd-3.3.0.201609221906 Originally-Created-By: Apache Maven Bundle Plugin Export-Package: org.owasp.encoder;version="1.2.3" Bundle-Name: Java Encoder Bundle-Version: 1.2.3 Created-By: Apache Maven Bundle Plugin Build-Jdk: 1.8.0_212
