Hi,
I also have a similar error occurring when verifying the signature on an
inbound request. I was using Apache CXF 2.7.4 and upgraded to 2.7.6 but the
NPE remains after an application redeploy and only fixed after a full Tomcat
restart.
The NPE error I'm getting is:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:447)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:203)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:159)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.xml.crypto.dsig.XMLSignatureException:
java.lang.NullPointerException
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:553)
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:420)
... 27 more
Caused by: java.lang.NullPointerException
at
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:167)
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:550)
... 29 more
What I do notice is that when I do a Tomcat start, the following 2 providers
are loaded:
2013-08-01 15:20:24,707 DEBUG | http-8080-2 | Registering default algorithms
| org.apache.xml.security.Init.dynamicInit(Init.java:114)
2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider ApacheXMLDSig -
1.55 was added at position: 2 |
org.apache.ws.security.WSSConfig.addJceProvider(WSSConfig.java:893)
2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider STRTransform was
added at position: 11 |
org.apache.ws.security.WSSConfig.appendJceProvider(WSSConfig.java:968)
However, when I do only an app restart, only 1 provider is loaded:
2013-08-01 15:34:49,313 DEBUG | http-8080-2 | Registering default algorithms
| org.apache.xml.security.Init.dynamicInit(Init.java:114)
2013-08-01 15:34:49,380 DEBUG | http-8080-2 | The provider STRTransform was
added at position: 11 |
org.apache.ws.security.WSSConfig.appendJceProvider(WSSConfig.java:968)
I tried to look at the WSSConfig code - it appears the java Security
libraries think ApacheXMLDSig is already loaded, but when used it is null
(I'm guessing really...)
The only 'fix' I have is to put xmlsec-1.5.5.jar in an endorsed lib, but it
then requires commons-logging-1.1.1.jar. After both are in the endorsed
lib, it works correctly after any type of restart, however, my logging is
messed up and it affects other apps' logging, so not ideal 'fix'.
Any help would be appreciated.
Thanks
Alex
--
View this message in context:
http://apache-xml-project.6118.n7.nabble.com/NullPointerException-when-redeploy-webapp-possible-leak-tp40262p40384.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.
