One or more WSSE trust tests in testsuite/integration/ws fail when the SecurityManager is enabled. This is because OpenSaml's current version of SystemPropertyConfigurationPropertiesSource calls System.getProperties whereas before it only called System.getProperty for a single property. So any deployment use that ends up calling into that will fail unless a permission is added to read all props.

As part of resolving this, the second commit in https://github.com/wildfly/wildfly/pull/15790 should be reverted.

We can work around this by adding an impl of ConfigurationPropertiesSource and making it visible via ServiceLoader to the org.opensaml module. If any impls are available via ServiceLoader, ConfigurationService won't fall back to SystemPropertyConfigurationPropertiesSource.

That impl would:

1) Try delegating to SystemPropertyConfigurationPropertiesSource in a try/catch block, return the result in try as that means the deployment has the needed perms. Catch and ignore any SecurityException, and then
2) Try to load sys prop ConfigurationService.PROPERTY_PARTITION_NAME in a privileged block.
a) if there is no such prop, return an empty map.
b) if there is, try loading the prop outside any privileged block. Allow any SecurityException to propagate. If that succeeds, return a map with ConfigurationService.PROPERTY_PARTITION_NAME as the sole entry.

The effect of step 2 is we use container privileges to check for the existence of the prop, but not to actually read its value.

We do step 1) as a form robustness against change in opensaml. Currently it only uses all this to get a value for ConfigurationService.PROPERTY_PARTITION_NAME, but if that changes, step 1 will provide allow a workaround of our impl's logic by users adding a deployment permission to read all props (same as they'd have to do now if we don't resolve this issue.)

There's a discussion of this in zulip: https://wildfly.zulipchat.com/#narrow/stream/174184-wildfly-developers/topic/WFLY-16612.20ts.2Finteg.2Fws.20migration/near/289786718