The org.apache.ws.security module contains the Jasypt JAR and exports it. Jasypt is only used internally by org.apache.wss4j.common.crypto.JasyptPasswordEncryptor and not used externally.

Our application has a dependency on org.jboss.ws.cxf.jbossws-cxf-client which has an exported dependency on org.apache.ws.security which exports Jasypt. As a consequence the Jasypt from the org.apache.ws.security module is used instead of the Jasypt from our application.

We would be willing to work on a patch. We see two possible options:

1. Introduce a dedicated Jasypt module and make org.apache.ws.security depend on it without exporting it
2. Add a resource filter to the org.apache.ws.security module like this

       <exports>
   	    <exclude path="org/jasypt/**"/>
       </exports>