[7.x] Update opensaml dependency (#44972) (#49512)

Add a mirror of the maven repository of the shibboleth project and upgrade opensaml and related dependencies to the latest version available version Resolves: #44947
2025-03-25 01:19:02 +00:00 · 2019-11-29 00:17:16 +02:00 · 2019-11-29 00:17:16 +02:00 · ba0c848027
commit ba0c848027
parent 1425e30b1e
40 changed files with 157 additions and 146 deletions
--- a/buildSrc/version.properties
+++ b/buildSrc/version.properties
@ -29,7 +29,6 @@ joda              = 2.10.4
 #  - distribution/tools/plugin-cli
 #  - x-pack/plugin/security
 bouncycastle      = 1.61
-
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.12
--- a/x-pack/build.gradle
+++ b/x-pack/build.gradle
@ -4,6 +4,22 @@ import org.elasticsearch.gradle.precommit.LicenseHeadersTask
 Project xpackRootProject = project

 subprojects {
+
+  // We define a specific repository for opensaml since the shibboleth project doesn't publish to maven central and the
+  // artifacts that are located there are not curated/updated by the project
+  // see: https://wiki.shibboleth.net/confluence/display/DEV/Use+of+Maven+Central
+  repositories {
+    maven {
+      name "opensaml"
+      url "https://artifactory.elstc.co/artifactory/shibboleth-releases/"
+      content {
+        includeGroup "org.opensaml"
+        includeGroup "net.shibboleth.utilities"
+        includeGroup "net.shibboleth"
+      }
+    }
+  }
+
  group = 'org.elasticsearch.plugin'
  ext.xpackRootProject = xpackRootProject
  ext.xpackProject = { String projectName -> xpackRootProject.project(projectName) }
--- a/x-pack/plugin/security/build.gradle
+++ b/x-pack/plugin/security/build.gradle
@ -29,25 +29,25 @@ dependencies {
  compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59'

  // the following are all SAML dependencies - might as well download the whole internet
-  compile "org.opensaml:opensaml-core:3.3.0"
-  compile "org.opensaml:opensaml-saml-api:3.3.0"
-  compile "org.opensaml:opensaml-saml-impl:3.3.0"
-  compile "org.opensaml:opensaml-messaging-api:3.3.0"
-  compile "org.opensaml:opensaml-messaging-impl:3.3.0"
-  compile "org.opensaml:opensaml-security-api:3.3.0"
-  compile "org.opensaml:opensaml-security-impl:3.3.0"
-  compile "org.opensaml:opensaml-profile-api:3.3.0"
-  compile "org.opensaml:opensaml-profile-impl:3.3.0"
-  compile "org.opensaml:opensaml-xmlsec-api:3.3.0"
-  compile "org.opensaml:opensaml-xmlsec-impl:3.3.0"
-  compile "org.opensaml:opensaml-soap-api:3.3.0"
-  compile "org.opensaml:opensaml-soap-impl:3.3.0"
-  compile "org.opensaml:opensaml-storage-api:3.3.0"
-  compile "org.opensaml:opensaml-storage-impl:3.3.0"
-  compile "net.shibboleth.utilities:java-support:7.3.0"
-  compile "org.apache.santuario:xmlsec:2.0.8"
+  compile "org.opensaml:opensaml-core:3.4.5"
+  compile "org.opensaml:opensaml-saml-api:3.4.5"
+  compile "org.opensaml:opensaml-saml-impl:3.4.5"
+  compile "org.opensaml:opensaml-messaging-api:3.4.5"
+  compile "org.opensaml:opensaml-messaging-impl:3.4.5"
+  compile "org.opensaml:opensaml-security-api:3.4.5"
+  compile "org.opensaml:opensaml-security-impl:3.4.5"
+  compile "org.opensaml:opensaml-profile-api:3.4.5"
+  compile "org.opensaml:opensaml-profile-impl:3.4.5"
+  compile "org.opensaml:opensaml-xmlsec-api:3.4.5"
+  compile "org.opensaml:opensaml-xmlsec-impl:3.4.5"
+  compile "org.opensaml:opensaml-soap-api:3.4.5"
+  compile "org.opensaml:opensaml-soap-impl:3.4.5"
+  compile "org.opensaml:opensaml-storage-api:3.4.5"
+  compile "org.opensaml:opensaml-storage-impl:3.4.5"
+  compile "net.shibboleth.utilities:java-support:7.5.1"
+  compile "org.apache.santuario:xmlsec:2.1.4"
  compile "io.dropwizard.metrics:metrics-core:3.2.2"
-  compile "org.cryptacular:cryptacular:1.2.0"
+  compile "org.cryptacular:cryptacular:1.2.3"
  compile "org.slf4j:slf4j-api:${versions.slf4j}"
  compile "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
  compile "org.apache.httpcomponents:httpclient:${versions.httpclient}"
@ -178,107 +178,106 @@ forbiddenApisMain {

 // classes are missing, e.g. com.ibm.icu.lang.UCharacter
 thirdPartyAudit {
-  ignoreMissingClasses(
-    // SAML dependencies
-    // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes
-    'com.beust.jcommander.JCommander',
-    'com.beust.jcommander.converters.BaseConverter',
-    // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use
-    'javax.servlet.AsyncContext',
-    'javax.servlet.DispatcherType',
-    'javax.servlet.Filter',
-    'javax.servlet.FilterChain',
-    'javax.servlet.FilterConfig',
-    'javax.servlet.RequestDispatcher',
-    'javax.servlet.ServletContext',
-    'javax.servlet.ServletException',
-    'javax.servlet.ServletInputStream',
-    'javax.servlet.ServletOutputStream',
-    'javax.servlet.ServletRequest',
-    'javax.servlet.ServletResponse',
-    'javax.servlet.http.Cookie',
-    'javax.servlet.http.HttpServletRequest',
-    'javax.servlet.http.HttpServletResponse',
-    'javax.servlet.http.HttpServletResponseWrapper',
-    'javax.servlet.http.HttpSession',
-    'javax.servlet.http.Part',
-    // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
-    'org.apache.velocity.VelocityContext',
-    'org.apache.velocity.app.VelocityEngine',
-    'org.apache.velocity.context.Context',
-    'org.apache.velocity.exception.VelocityException',
-    'org.apache.velocity.runtime.RuntimeServices',
-    'org.apache.velocity.runtime.log.LogChute',
-    'org.apache.velocity.runtime.resource.loader.StringResourceLoader',
-    'org.apache.velocity.runtime.resource.util.StringResourceRepository',
-    // [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use
-    'org.apache.xml.dtm.DTM',
-    'org.apache.xml.utils.PrefixResolver',
-    'org.apache.xml.utils.PrefixResolverDefault',
-    'org.apache.xpath.Expression',
-    'org.apache.xpath.NodeSetDTM',
-    'org.apache.xpath.XPath',
-    'org.apache.xpath.XPathContext',
-    'org.apache.xpath.compiler.FunctionTable',
-    'org.apache.xpath.functions.Function',
-    'org.apache.xpath.objects.XNodeSet',
-    'org.apache.xpath.objects.XObject',
-    // [missing classes] OpenSAML storage has an optional LDAP storage impl
-    'org.ldaptive.AttributeModification',
-    'org.ldaptive.AttributeModificationType',
-    'org.ldaptive.Connection',
-    'org.ldaptive.DeleteOperation',
-    'org.ldaptive.DeleteRequest',
-    'org.ldaptive.LdapAttribute',
-    'org.ldaptive.LdapEntry',
-    'org.ldaptive.LdapException',
-    'org.ldaptive.ModifyOperation',
-    'org.ldaptive.ModifyRequest',
-    'org.ldaptive.Response',
-    'org.ldaptive.ResultCode',
-    'org.ldaptive.SearchOperation',
-    'org.ldaptive.SearchRequest',
-    'org.ldaptive.SearchResult',
-    'org.ldaptive.ext.MergeOperation',
-    'org.ldaptive.ext.MergeRequest',
-    'org.ldaptive.pool.ConnectionPool',
-    'org.ldaptive.pool.PooledConnectionFactory',
-    // [missing classes] OpenSAML storage has an optional JSON-backed storage impl
-    'javax.json.Json',
-    'javax.json.JsonException',
-    'javax.json.JsonNumber',
-    'javax.json.JsonObject',
-    'javax.json.JsonReader',
-    'javax.json.JsonValue$ValueType',
-    'javax.json.JsonValue',
-    'javax.json.stream.JsonGenerator',
-    // [missing classes] OpenSAML storage has an optional JPA storage impl
-    'javax.persistence.EntityManager',
-    'javax.persistence.EntityManagerFactory',
-    'javax.persistence.EntityTransaction',
-    'javax.persistence.LockModeType',
-    'javax.persistence.Query',
-    // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support
-    'net.spy.memcached.CASResponse',
-    'net.spy.memcached.CASValue',
-    'net.spy.memcached.MemcachedClient',
-    'net.spy.memcached.MemcachedClientIF',
-    'net.spy.memcached.CachedData',
-    'net.spy.memcached.internal.OperationFuture',
-    'net.spy.memcached.transcoders.Transcoder',
-    // [missing classes] Http Client cache has optional ehcache support
-    'net.sf.ehcache.Ehcache',
-    'net.sf.ehcache.Element',
-    // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
-    'org.slf4j.ext.EventData',
-    // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
-    'org.cryptomator.siv.SivMode',
-    // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
-    'com.google.crypto.tink.subtle.Ed25519Sign',
-    'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
-    'com.google.crypto.tink.subtle.Ed25519Verify',
-    'com.google.crypto.tink.subtle.X25519'
-
+  ignoreMissingClasses (
+      // SAML dependencies
+      // [missing classes] Some cli utilities that we don't use depend on these missing JCommander classes
+      'com.beust.jcommander.JCommander',
+      'com.beust.jcommander.converters.BaseConverter',
+      // [missing classes] Shibboleth + OpenSAML have servlet support that we don't use
+      'javax.servlet.AsyncContext',
+      'javax.servlet.DispatcherType',
+      'javax.servlet.Filter',
+      'javax.servlet.FilterChain',
+      'javax.servlet.FilterConfig',
+      'javax.servlet.RequestDispatcher',
+      'javax.servlet.ServletContext',
+      'javax.servlet.ServletException',
+      'javax.servlet.ServletInputStream',
+      'javax.servlet.ServletOutputStream',
+      'javax.servlet.ServletRequest',
+      'javax.servlet.ServletResponse',
+      'javax.servlet.http.Cookie',
+      'javax.servlet.http.HttpServletRequest',
+      'javax.servlet.http.HttpServletResponse',
+      'javax.servlet.http.HttpServletResponseWrapper',
+      'javax.servlet.http.HttpSession',
+      'javax.servlet.http.Part',
+      // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
+      'org.apache.velocity.VelocityContext',
+      'org.apache.velocity.app.VelocityEngine',
+      'org.apache.velocity.context.Context',
+      'org.apache.velocity.exception.VelocityException',
+      'org.apache.velocity.runtime.RuntimeServices',
+      'org.apache.velocity.runtime.log.LogChute',
+      'org.apache.velocity.runtime.resource.loader.StringResourceLoader',
+      'org.apache.velocity.runtime.resource.util.StringResourceRepository',
+      // [missing classes] OpenSAML depends on Apache XML security which depends on Xalan, but only for functionality that OpenSAML doesn't use
+      'org.apache.xml.dtm.DTM',
+      'org.apache.xml.utils.PrefixResolver',
+      'org.apache.xml.utils.PrefixResolverDefault',
+      'org.apache.xpath.Expression',
+      'org.apache.xpath.NodeSetDTM',
+      'org.apache.xpath.XPath',
+      'org.apache.xpath.XPathContext',
+      'org.apache.xpath.compiler.FunctionTable',
+      'org.apache.xpath.functions.Function',
+      'org.apache.xpath.objects.XNodeSet',
+      'org.apache.xpath.objects.XObject',
+      // [missing classes] OpenSAML storage has an optional LDAP storage impl
+      'org.ldaptive.AttributeModification',
+      'org.ldaptive.AttributeModificationType',
+      'org.ldaptive.Connection',
+      'org.ldaptive.DeleteOperation',
+      'org.ldaptive.DeleteRequest',
+      'org.ldaptive.LdapAttribute',
+      'org.ldaptive.LdapEntry',
+      'org.ldaptive.LdapException',
+      'org.ldaptive.ModifyOperation',
+      'org.ldaptive.ModifyRequest',
+      'org.ldaptive.Response',
+      'org.ldaptive.ResultCode',
+      'org.ldaptive.SearchOperation',
+      'org.ldaptive.SearchRequest',
+      'org.ldaptive.SearchResult',
+      'org.ldaptive.ext.MergeOperation',
+      'org.ldaptive.ext.MergeRequest',
+      'org.ldaptive.pool.ConnectionPool',
+      'org.ldaptive.pool.PooledConnectionFactory',
+      // [missing classes] OpenSAML storage has an optional JSON-backed storage impl
+      'javax.json.Json',
+      'javax.json.JsonException',
+      'javax.json.JsonNumber',
+      'javax.json.JsonObject',
+      'javax.json.JsonReader',
+      'javax.json.JsonValue$ValueType',
+      'javax.json.JsonValue',
+      'javax.json.stream.JsonGenerator',
+      // [missing classes] OpenSAML storage has an optional JPA storage impl
+      'javax.persistence.EntityManager',
+      'javax.persistence.EntityManagerFactory',
+      'javax.persistence.EntityTransaction',
+      'javax.persistence.LockModeType',
+      'javax.persistence.Query',
+      // [missing classes] OpenSAML storage and HttpClient cache have optional memcache support
+      'net.spy.memcached.CASResponse',
+      'net.spy.memcached.CASValue',
+      'net.spy.memcached.MemcachedClient',
+      'net.spy.memcached.MemcachedClientIF',
+      'net.spy.memcached.CachedData',
+      'net.spy.memcached.internal.OperationFuture',
+      'net.spy.memcached.transcoders.Transcoder',
+      // [missing classes] Http Client cache has optional ehcache support
+      'net.sf.ehcache.Ehcache',
+      'net.sf.ehcache.Element',
+      // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
+      'org.slf4j.ext.EventData',
+      // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
+      'org.cryptomator.siv.SivMode',
+      // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
+      'com.google.crypto.tink.subtle.Ed25519Sign',
+      'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
+      'com.google.crypto.tink.subtle.Ed25519Verify',
+      'com.google.crypto.tink.subtle.X25519'
  )

  ignoreViolations(
--- a/x-pack/plugin/security/licenses/cryptacular-1.2.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/cryptacular-1.2.0.jar.sha1
@ -1 +0,0 @@
-94f6cb97d7f7487a183f283ae80c6e61c86156e3
--- a/x-pack/plugin/security/licenses/cryptacular-1.2.3.jar.sha1
+++ b/x-pack/plugin/security/licenses/cryptacular-1.2.3.jar.sha1
@ -0,0 +1 @@
+7b0398d04a68ff7f58657938b3bdc5f2799b4b49
--- a/x-pack/plugin/security/licenses/java-support-7.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/java-support-7.3.0.jar.sha1
@ -1 +0,0 @@
-288ecc17f2025ad14f768163d42808987d5ffcd6
--- a/x-pack/plugin/security/licenses/java-support-7.5.1.jar.sha1
+++ b/x-pack/plugin/security/licenses/java-support-7.5.1.jar.sha1
@ -0,0 +1 @@
+c3fecaa141e8f0fff8a14e6800aefa8155c9b3e8
--- a/x-pack/plugin/security/licenses/opensaml-core-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-core-3.3.0.jar.sha1
@ -1 +0,0 @@
-6fac68342891abec3c22d53e14c706ba3e58918b
--- a/x-pack/plugin/security/licenses/opensaml-core-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-core-3.4.5.jar.sha1
@ -0,0 +1 @@
+0958fae127de9e8b0296e6f089c7451b6d5f0846
--- a/x-pack/plugin/security/licenses/opensaml-messaging-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-messaging-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-5da0ff5d28546b3af8cc1487b4717fdeb675b8c4
--- a/x-pack/plugin/security/licenses/opensaml-messaging-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-messaging-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+e3ec93dfbf90c451e9f7fb34a3e33a6ac60edd31
--- a/x-pack/plugin/security/licenses/opensaml-messaging-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-messaging-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-38b21389971105f32099d04c6f63b4af505364ca
--- a/x-pack/plugin/security/licenses/opensaml-messaging-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-messaging-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+beaca9bd69ad861dbb55f1694853a02cb6988ae7
--- a/x-pack/plugin/security/licenses/opensaml-profile-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-profile-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-e4c72301b98cf4967c49c450de7da2dbc1f6b8d0
--- a/x-pack/plugin/security/licenses/opensaml-profile-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-profile-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+bb0a1f97d38342a5715bad628ee24000b08e821e
--- a/x-pack/plugin/security/licenses/opensaml-profile-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-profile-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-25c28fb4ab027fcaacaa268902cffc4451ac840c
--- a/x-pack/plugin/security/licenses/opensaml-profile-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-profile-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+6cb4595c7a988d964f6a2d55dcac754b0c68904e
--- a/x-pack/plugin/security/licenses/opensaml-saml-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-saml-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-c9611395e073206e59816b0b5ce5166450e8101e
--- a/x-pack/plugin/security/licenses/opensaml-saml-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-saml-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+bef43d21b2d878baceae291af4a0ad3449c7d7ec
--- a/x-pack/plugin/security/licenses/opensaml-saml-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-saml-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-391ac88f96a9f8f522d693c168d4c65fad20535d
--- a/x-pack/plugin/security/licenses/opensaml-saml-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-saml-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+ecf4a9552575d38cffd4dc56d95e7564b7dccfc1
--- a/x-pack/plugin/security/licenses/opensaml-security-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-security-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-89477899f0836040e9a584b451895a61d923bf96
--- a/x-pack/plugin/security/licenses/opensaml-security-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-security-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+15cbb232ae6665edc5df5f260e551e69fdb362e5
--- a/x-pack/plugin/security/licenses/opensaml-security-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-security-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-48cf37a5080ee406aef21a49045f5e1d15ea46e6
--- a/x-pack/plugin/security/licenses/opensaml-security-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-security-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+b2bc1aa5b0f400aa50499f3783b10e9f7c216a47
--- a/x-pack/plugin/security/licenses/opensaml-soap-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-soap-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-4e900056cd80c1f0bd72497c26a48664089e04a8
--- a/x-pack/plugin/security/licenses/opensaml-soap-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-soap-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+c497df002980c6e482ce7b828924bb24f60f99f7
--- a/x-pack/plugin/security/licenses/opensaml-soap-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-soap-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-ea912fe660d11ad443775974e3208f0563edcebd
--- a/x-pack/plugin/security/licenses/opensaml-soap-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-soap-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+30ed8d37259e840df5b3fd8daf7b654129a9190c
--- a/x-pack/plugin/security/licenses/opensaml-storage-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-storage-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-7492688b067dca0568554ec4c7abf9f0b5e1f682
--- a/x-pack/plugin/security/licenses/opensaml-storage-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-storage-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+a984671fd04e50da03f68003d2b062578e63ec86
--- a/x-pack/plugin/security/licenses/opensaml-storage-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-storage-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-1244ecd4e8eccf74eb178906b0e9cac8a62bcbf7
--- a/x-pack/plugin/security/licenses/opensaml-storage-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-storage-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+a4b828fe1a9d64953ecdd8a9e00ff31b63ad6ef0
--- a/x-pack/plugin/security/licenses/opensaml-xmlsec-api-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-xmlsec-api-3.3.0.jar.sha1
@ -1 +0,0 @@
-e824f1e3ec14080412a4ab4b0807a13933d9be80
--- a/x-pack/plugin/security/licenses/opensaml-xmlsec-api-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-xmlsec-api-3.4.5.jar.sha1
@ -0,0 +1 @@
+a1b10f97deca1e3405f95db5b39697c0d46f5e0d
--- a/x-pack/plugin/security/licenses/opensaml-xmlsec-impl-3.3.0.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-xmlsec-impl-3.3.0.jar.sha1
@ -1 +0,0 @@
-569ae8fc7c84817c5324e9f9b7958adf700a94c1
--- a/x-pack/plugin/security/licenses/opensaml-xmlsec-impl-3.4.5.jar.sha1
+++ b/x-pack/plugin/security/licenses/opensaml-xmlsec-impl-3.4.5.jar.sha1
@ -0,0 +1 @@
+d46cb9854a1ff85bea34ece7077bc32dbc2f10da
--- a/x-pack/plugin/security/licenses/xmlsec-2.0.8.jar.sha1
+++ b/x-pack/plugin/security/licenses/xmlsec-2.0.8.jar.sha1
@ -1 +0,0 @@
-f5995bd4cd75816568c3b26d2552d957316ba8dc
--- a/x-pack/plugin/security/licenses/xmlsec-2.1.4.jar.sha1
+++ b/x-pack/plugin/security/licenses/xmlsec-2.1.4.jar.sha1
@ -0,0 +1 @@
+cb43326f02e3e77526c24269c8b5d3cc3f7f6653
--- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
+++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
@ -7,6 +7,11 @@ grant {
  // needed because of SAML (cf. o.e.x.s.s.RestorableContextClassLoader)
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "setContextClassLoader";
+  // needed during initialization of OpenSAML library where xml security algorithms are registered
+  // see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
+  // and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
+  // which uses it in the opensaml-xmlsec-impl
+  permission java.security.SecurityPermission "org.apache.xml.security.register";

  // needed for multiple server implementations used in tests
  permission java.net.SocketPermission "*", "accept,connect";
@ -31,14 +36,6 @@ grant {
  permission java.lang.RuntimePermission "getFileStoreAttributes";
 };

-grant codeBase "${codebase.xmlsec-2.0.8.jar}" {
-  // needed during initialization of OpenSAML library where xml security algorithms are registered
-  // see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
-  // and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
-  // which uses it in the opensaml-xmlsec-impl
-  permission java.security.SecurityPermission "org.apache.xml.security.register";
-};
-
 grant codeBase "${codebase.netty-common}" {
   // for reading the system-wide configuration for the backlog of established sockets
   permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";