Currently, we have Picketlink modules excluding the java.xml.crypto classes when importing from org.apache.santuario.xmlsec (as those classes are duplicated in javax.api). We should actually do the other way around, that is exclude those classes in a exports block in santuario module, to avoid other consumer to have to specify exclusions.