The org.apache.ws.security module contains the Jasypt JAR and exports it. Jasypt is only used internally by org.apache.wss4j.common.crypto.JasyptPasswordEncryptor and not used externally.
Our application has a dependency on org.jboss.ws.cxf.jbossws-cxf-client which has an exported dependency on org.apache.ws.security which exports Jasypt. As a consequence the Jasypt from the org.apache.ws.security module is used instead of the Jasypt from our application.
We would be willing to work on a patch. We see two possible options:
- Introduce a dedicated Jasypt module and make org.apache.ws.security depend on it without exporting it
- Add a resource filter to the org.apache.ws.security module like this