Thank you for your response, Tomaz!

A third party library we're using requires BouncyCastle, so we have declared a dependency on in in our jboss-deployment-structure.xml.

I reviewed the commits you suggested. In Final, BouncyCastle appears as number 2 in the list of registered security providers (Security.getProviders()), whereas it is not registered at all in CR1. I get this result regardless of whether or not BouncyCastle is a dependency in jboss-deployment-structure.xml, or whether i start WildFly with the default or full profile.

I was expecting a commit looking more like Security.insertProviderAt(new BouncyCastleProvider, 2).

Is it possible that the change was introduced by another commit?

Thank you for your response, Alessio!

I understand that you are puzzled as to why this is a problem to us We're using a third party library that invokes Cipher.getProvider("RSA/....").getBlockSize() to determine if the cipher is a block cipher. The SunJCE implementation returns 0 and BouncyCastle throws an IllegalStateException (which breaks features in our application). Getting this third party provider to change their implementation is an option, but we are also exploring other options.

As a fix, I now reorder the security providers upon application startup (exactly as you suggested). Our third party library now works just like before upgrading WildFly to Final. Only problem is, without understanding why the JCE provider order was changed between CR1 and Final, I have no idea which platform features I might have just broken

The invocation is from an EJB. Our application declares a dependency on BouncyCastle in jboss-deployment-structure.xml. Like stated in my previous comment, this does not seem to affect which JCE providers are registered with the JVM.

I have recreated the same result from a servlet running WildFly with the default standalone profile, and without declaring any dependencies from WildFly. The code below lists the registered JCE providers, in the preferred order. Try it on both CR1 and Final to see the difference. BouncyCastle only appears in Final, as number two in the list.

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.Provider;
import java.security.Security;


@WebServlet(urlPatterns = "/ListJceProviders")
public class ListJceProvidersServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        PrintWriter writer = response.getWriter();

        for (Provider provider : Security.getProviders()) {
            writer.println(provider.toString());
        }
    }
}

EDIT: The table below has been edited after the original post. It now shows the result of WildFly standalone, default profile, on Windows 7, running JDK 1.7 u51 with JCE Unlimited Strength. Similar results (BouncyCastle only in Final) are observed on other OS-es (OS X and Linux), and other WildFly configurations (standalone/domain and default/full profile).

Do you have any specific change in mind, that could have introduced this?

Thank you, Tomaz!

I created that output on my OS X home computer, after putting the kids to bed last night. I thought it would save time, and bring this case faster forward. But I forgot to set JAVA_HOME on the console running CR1. That explains the odd output with differing versions, which you observed. My mistake! Sorry about the confusion

Now I'm back at work and have rerun the output, making sure that only the WildFly versions differ. I have updated the table in my previous comment.

All my colleagues experience the same issue, and on multiple platforms and configurations, so I'm quite sure that this is a real change from CR1 to Final, and not something we're doing wrong

Any help in identifying which issue introduced the change will be appreciated, as it will influence how our team will handle the side effect in our application.

Ok, I am satisfied with the answers Let me reiterate my current understanding of the issue:

The change was introduced by this commit to jbossws, as Tomaz Cerar pointed out in his first post I tried removing exactly that line from my 8.0.0 Final configuration, and the CR1-behaviour was back again.

It is not entirely correct, like ctomc and asoldano states, that BouncyCastle is not visible to the application by default. Because jbossws is now depending on module org.bouncycastle, then BouncyCastleProvider is registered as a JCE provider with java.security.Security (in index 2). This allows my application to use BouncyCastle through the JCE APIs without declaring a dependency on the module org.bouncycastle.

The JBoss module system does however prevent me from instantiating BouncyCastleProvider directly. For that, I would have to declare the dependency to module org.bouncycastle.

My team will continue using our workaround, which is to reorder the JCE providers upon application startup - at least until we get a fix from our third party library provider. I guess CXF registered BouncyCastle as provider number 2 for a reason, so I'm prepared that some problems may appear.

If anybody is interested, I pushed the tool I used while investigating this to GitHub. Visit my project, list-jce-providers.

This was my first post to this forum, and I must say I am really impressed with the assistance you gave. Thank you so much for your help, guys!