Xmlsec 4.0.0

[dmatej]

• Based on https://github.com/apache/santuario-xml-security-java/pull/192
• GF with these dependencies passed the TCK: https://ci.eclipse.org/jakartaee-tck/job/jakartaee-tck/job/10.0.x/29/testReport/
• Note: When reviewing, disable whitespaces, I had to fix formatting in several files which weren't readable for humans.

Important Changes

• Killed dependency on SLF4J1
  • Now is possible to use System.Logger of SLF4J2
• Killed webservices-extra-xmlsec - no need to repackage xmlsec dependencies any more
• XmlSec4 split XmlSignatureInput to several classes based on the input type.
• Xmlsec4 now depends on JDK11+ (instead of 8) and supports Java Module System.

Validation

• Passed GlassFish build: https://ci.eclipse.org/glassfish/job/glassfish_build-and-test-using-jenkinsfile/job/PR-24225/
• Passed the TCK build: IN PROGRESS, see https://ci.eclipse.org/jakartaee-tck/job/jakartaee-tck/job/10.0.x/ - see GF-PR-24225 for builds (build 29 passed, then yet one or two in the past, latest is 83, built 12. October 2023).

[arjantijms]

@lukasj what do you think?

[lukasj]

• Based on Small boost forward - aggregated changes from one stable stage to another apache/santuario-xml-security-java#101

last time I submitted PR to Santuario, it took years to be merged (was actually redone similar way in a different PR)

• Note: When reviewing, disable whitespaces, I had to fix formatting in several files which weren't readable for humans.

consider fixing all at once with adding a commit ID to .git-blame-ignore-revs

• Killed webservices-extra-xmlsec - no need to repackage xmlsec dependencies any more

remove them also from boms

[arjantijms]

@lukasj can you take a look again? Much has happened since last January.

[dmatej]

Ok, here we go, tests passed! @lukasj What next? GlassFish passed all available tests with XmlSec 4.0.0-M1 and Metro WSIT 4.0.3.-SNAPSHOT including TCK. One option is to release 4.0.3-M1, another 4.1.0-M1, another is that I would ask XmlSec team to release the XmlSec 4.0.0 first. What do you think? Are you ready to release Metro WSIT 4.0.3 then soon?

[lukasj]

let me finalize 4.0.3 (early next week, I hope, as most work in other projects has already been done) and then merge this one

[dmatej]

let me finalize 4.0.3 (early next week, I hope, as most work in other projects has already been done) and then merge this one

And how long can take it to 4.0.4 or 4.1.0 or at least 4.1.0-M1? EDIT: Ok, 4.1.0-M1, then we could rerun all TCK tests for GF. Or I can do that with snapshots too, but it is more work than with dependencies in staging repo/central. I would ask for the final Xmlsec 4.0.0 release.

[coheigea]

Can I proceed with XML Security 4.0.0 or is there any potential issues left?

[dmatej]

Can I proceed with XML Security 4.0.0 or is there any potential issues left?

I don't know about any issues at this moment, I am looking forward for the release! :-)

[lukasj]

Can we try to align our work here somehow and remove some unnecessary(?) steps & releases?

What I'm thinking about - my first step is to release jaxb-ri 4.0.4 (changelog) to fix regressions in 4.0.3 once I get verification of one more PR from the user; at the same time I need to release APIs to fix dependency trees of metro components.

If there is a chance to have final santuario 4.0.0 with dependencies on xml bind api 4.0.1 and impl 4.0.4, then I'd seriously consider including this in metro 4.0.3. @dmatej this would require you to test snapshots (which are all up-to-date and available in the snapshots repo, ie through -Psnapshots), me to run jaxb TCKs on current snapshot and @coheigea to consider updating jaxb dep in santuario..., WDYT?

EDIT: current XML Binding TCK run: https://ci.eclipse.org/jaxb-impl/job/jaxb-jakarta-ri-tck/17/, it should finish in ~8-10h

[dmatej]

I am temporarily using OmniFish's snapshot repository, because I don't have access to Jakarta snapshots. I can deploy at any time, GlassFish PR has access for downloads too. GlassFish is then built by Jenkins and the zip can be used by TCK tests. The GlassFish PR passed all tests two or three times since it's creation, now I am building GF again using metro-wsit from this PR deployed to OmniFish's snapshot repo one hour ago. Then I will rerun the TCK which will take around 8 hours.

EDIT: I can repeat it at any time, but perhaps for now I will wait until you say that you finished with JAXB.

[dmatej]

So finally I have some issue. In previous webservices-osgi 4.0.2 used in GF 7.0.9 I see this in manifest:

Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=11))"

But in 4.0.3-SNAPSHOT I see this and I need some help how I can fulfill the requirement:

Require-Capability: osgi.contract;osgi.contract=JakartaServlet;filter:="
 (&(osgi.contract=JakartaServlet)(version=6.0.0))",[osgi.ee](http://osgi.ee/);filter:="(&(o
 [sgi.ee](http://sgi.ee/)=JavaSE)(version=11))"

EDIT: Locally tests passed after I added the capability to orgi.properties in GlassFish, now I am waiting for Jenkins. Do you know if it is the correct solution or the right way to do that is different?

[lukasj]

this line needs an update

[coheigea]

XML Security has since been updated to 4.0.1 of the bind API, so I'll proceed with a vote on the official release.

[dmatej]

I have rebased this PR and cherrypicked the #442 fix; git will merge it without issues after #442 merges to master.

[lukasj]

so I'm ready... what I wanted to do is already done and master now has jaxws-ri 4.0.2 (with all deps up-to-date, all in staging). @dmatej I can see that santuario already has 4.0.0 tag as well, can you try to give it one more test run before I merge this, please?

[coheigea]

XML Security 4.0.0 is now in maven central FYI

[dmatej]

The TCK is still running, but webservices12 and webservices13 already passed, so I think it is alright to do the merge and release. https://ci.eclipse.org/jakartaee-tck/job/jakartaee-tck/job/10.0.x/

[lukasj]

4.0.3 (and all updated dependencies) should be on the way to central; give it some time... (...and let me know, if something is missing)