Upgrading from spring-ws 3 to 4: XwsSecurityInterceptor missing - Replacement?

[mdoerschmidt]

A view classes of our server codes uses classes from the org.springframework.ws.soap.security.xwss package. Mainly code extends the XwsSecurityInterceptor class.

After upgrading from spring-ws 3.0 to 4.0 this package is missing completely.

Has this package been moved to some other (sub-)project or has this package removed completely?

Thanks in advance for help

[gregturn]

The details are found here: https://spring.io/blog/2022/12/02/spring-ws-samples-upgraded-for-spring-boot-3-0

TL;DR XWS Security hasn't seen update since 2008. With our need to upgrade to Jakarta EE 9+, and with SOAP standards being one of the biggest things hit by the Jakarta transition, there is simply no version of XWS Security that works with this setup. Hence, we had to drop it.

The nearest tool that can meet your needs is Apache WSS4j. I realize this is very hard hitting for you considering you didn't just use our XWS Security integration but instead had extensions. I can personal testify that WSS4j isn't exactly a 1-to-1 migration path and won't be easy.

Frankly I wish this were not the case. SOAP itself is a rather solid, well-established and FIXED specification. But all the interfaces that enclose SOAP-based stuff is what's changing, and this is a severe consequence.