Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
2.2.7, 2.3.3, 2.4.1
-
None
-
None
Description
When using WSS4J alongside other dependencies which also rely on OpenSAML, the OpenSAMLUtil.initSamlEngine() can override the existing configuration of OpenSAML, potentially causing issues with how the parser pool is configured.
In my use case:
- OpenSAML is initialized first with the org.opensaml.core.config.InitializationService introduced in OpenSAML 3
- XMLSec is used for decryption, so org.opensaml.xmlsec.config.DecryptionParserPoolInitializer adds a decryption-specific feature to the parser pool at this time.
- Later, an interceptor in cxf-rt-ws-security called into OpenSAMLUtil.initSamlEngine(), overriding the OpenSAML configuration and parser pool.
In WSS4J 2.2.6, due to WSS-678, this caused the DecryptionParserPool to be completely removed, but after upgrading to 2.3.1+ or 2.4.0+, this causes it to be replaced with the manually configured pool from OpenSAMLUtil without the needed feature.
I have been able to work around this by explicitly calling OpenSAML’s InitializationService after WSS4J’s OpenSAMLUtil.
Relevant dependencies and versions in my project include:
- Java 8
- OpenSAML 3.4.6 (including org.opensaml:opensaml-xmlsec-api)
- org.apache.cxf:cxf-rt-ws-security:3.3.11
- org.apache.santuario:xmlsec:2.1.7
- net.shibboleth.utilities:java-support:7.5.2