[SWS-886] Update to WSS4J 2.0.x / XMLSec 2.0.x Created: 28/Dec/14  Updated: 07/Apr/16  Resolved: 02/Feb/16

Status: Closed
Project: Spring Web Services
Component/s: None
Affects Version/s: 2.2.0.RELEASE
Fix Version/s: 2.3.0

Type: Task Priority: Minor
Reporter: Manuel Dominguez Sarmiento Assignee: Greg Turnquist
Resolution: Complete Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relate
is related to SWS-849 Patch for Wss4jSecurityInterceptor 2.... Closed
Pull Request URL: https://github.com/spring-projects/spring-ws/pull/54

 Description   

Both support libraries have been recently upgraded, and seem to be mostly compatible with the current Spring WS implementation of Wss4jSecurityInterceptor, however SAML handling has changed.

See the migration guide at:
https://ws.apache.org/wss4j/migration.html



 Comments   
Comment by jaminh [ 30/Sep/15 ]

I was able to get the project building with WSS4J upgraded to version 2.0.5. There was a fair amount that changed so I will probably have to write up something about what I did but I thought I would put this out there in case anyone wants to look it over or try using it. https://github.com/jaminh/spring-ws/tree/feature/SWS-886

Comment by Greg Turnquist [ 30/Sep/15 ]

Thanks for working on this Manuel. The trick is, Spring WS is heavily invested in backwards compatibility. I'm not sure we're ready to either cut off Wss4j 1.x users, or invest the effort to support both seamlessly. Have to think about how to best approach this.

Comment by Eduardo Issao Ito [ 11/Nov/15 ]

Is there any plan to upgrade to wss4j 2.0?

Comment by Greg Turnquist [ 16/Nov/15 ]

The only way to entertain doing this is by providing a new package, like spring-ws-security - org.springframework.ws.soap.security.wss4j2. We cannot simply rip out the old version and plugin a new one.

If you want to take your tentative solution and rework it that so that both version of wss4j are optional, with wss4j package left as is, and your new version in wss4j2, I could look at that as a possibility.

Comment by jaminh [ 08/Jan/16 ]

I made a version including both 1.6.x and 2.0.x versions of WSS4J that can be viewed here https://github.com/jaminh/spring-ws/tree/feature/SWS-886-rebase

That being said when Spring-WS updated from Wss4j 1.5.x to 1.6.x there were breaking changes but it was allowed to be done in a minor version release (2.1.0 https://jira.spring.io/browse/SWS-711). Wss4j is already on a 2.1.x version and the last planned 1.x version was released in October 2015, so despite your desire not to cut off Wss4j 1.x users Wss4j already has.

Comment by Greg Turnquist [ 19/Jan/16 ]

Thanks @jaminh! Arjen and I have carved out some time to work on a Spring WS 2.3 release that will include moving things up to wss4j 2.0. I appreciate the work you've done on coding this. Stay tuned.

Comment by Arjen Poutsma [ 29/Jan/16 ]

I looked at your branch, jaminh, and it looks good! Thank you for putting this much work into it. I do have some comments, however. Most of them are minor, and they can definitely be dealt with in terms of a PR.

So there are two ways we can go forward: you can make your branch a PR and I can comment on the things that I think needs work: essentially we would be working together on this. Or I can simply take over from here, by creating my own branch based on your work and make the changes myself (while still giving you credit, of course). So it really depends on how much time you would like to spend on this.

Comment by jaminh [ 29/Jan/16 ]

I created a pull request https://github.com/spring-projects/spring-ws/pull/52. I may have time to work on it this weekend but if I don't get to it then feel free to make any changes you need if it is holding up the release.

Comment by jaminh [ 07/Apr/16 ]

I did some more testing on with these changes and there are a couple things I think should be changed. First of all in order to secure messages with SAML a method for configuring a SAML callback needs to be added. Also I was getting errors when I didn't set the validationActions because the validationActionsVector didn't get initialized. To fix that I moved the initialization of the validationActionsVector to the afterPropertiesSet method. I submitted a pull request with these changes. https://github.com/spring-projects/spring-ws/pull/66

Generated at Fri Dec 15 04:13:50 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.