Re: NullPointerException when redeploy webapp, possible leak

Sean Mullan Thu, 01 Aug 2013 05:48:15 -0700

The NPE is thrown at line 167 in DOMSignatureMethod.java:


        if (log.isDebugEnabled()) {

As you suggest below, it sounds like you don't have logging configuredcorrectly.


--Sean

On 08/01/2013 02:25 AM, afmunoz wrote:

Hi,

I also have a similar error occurring when verifying the signature on an
inbound request. I was using Apache CXF 2.7.4 and upgraded to 2.7.6 but the
NPE remains after an application redeploy and only fixed after a full Tomcat
restart.

The NPE error I'm getting is:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
         at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:447)
         at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
         at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
         at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)
         at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
         at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
         at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
         at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
         at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
         at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:203)
         at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137)
         at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:159)
         at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
         at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
         at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
         at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
         at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
         at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
         at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
         at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
         at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
         at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
         at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
         at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
         at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
         at java.lang.Thread.run(Thread.java:619)
Caused by: javax.xml.crypto.dsig.XMLSignatureException:
java.lang.NullPointerException
         at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:553)
         at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)
         at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:420)
         ... 27 more
Caused by: java.lang.NullPointerException
         at
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:167)
         at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:550)
         ... 29 more


What I do notice is that when I do a Tomcat start, the following 2 providers
are loaded:

2013-08-01 15:20:24,707 DEBUG | http-8080-2 | Registering default algorithms
| org.apache.xml.security.Init.dynamicInit(Init.java:114)
2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider ApacheXMLDSig -
1.55 was added at position: 2 |
org.apache.ws.security.WSSConfig.addJceProvider(WSSConfig.java:893)
2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider STRTransform was
added at position: 11 |
org.apache.ws.security.WSSConfig.appendJceProvider(WSSConfig.java:968)


However, when I do only an app restart, only 1 provider is loaded:

2013-08-01 15:34:49,313 DEBUG | http-8080-2 | Registering default algorithms
| org.apache.xml.security.Init.dynamicInit(Init.java:114)
2013-08-01 15:34:49,380 DEBUG | http-8080-2 | The provider STRTransform was
added at position: 11 |
org.apache.ws.security.WSSConfig.appendJceProvider(WSSConfig.java:968)

I tried to look at the WSSConfig code - it appears the java Security
libraries think ApacheXMLDSig is already loaded, but when used it is null
(I'm guessing really...)

The only 'fix' I have is to put xmlsec-1.5.5.jar in an endorsed lib, but it
then requires commons-logging-1.1.1.jar.  After both are in the endorsed
lib, it works correctly after any type of restart, however, my logging is
messed up and it affects other apps' logging, so not ideal 'fix'.

Any help would be appreciated.

Thanks
Alex




--
View this message in context: 
http://apache-xml-project.6118.n7.nabble.com/NullPointerException-when-redeploy-webapp-possible-leak-tp40262p40384.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: NullPointerException when redeploy webapp, possible leak

Reply via email to