Jim Ma created WSS-654:
--------------------------
Summary: WSSecurityUtil throws NPE when security manager is enabled
Key: WSS-654
URL: https://issues.apache.org/jira/browse/WSS-654
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 2.2.4
Reporter: Jim Ma
Assignee: Colm O hEigeartaigh
Fix For: 2.2.5
When security manager is enabled, the WSSecurityUtils throws NPE by a
AccessControlException :
{code:java}
2019-09-05 11:41:46,602 WARNING [org.apache.cxf.phase.PhaseInterceptorChain]
(default task-1) Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now: java.lang.NullPointerException
at
java.xml/com.sun.org.apache.xerces.internal.dom.ParentNode.internalInsertBefore(ParentNode.java:300)
at
java.xml/com.sun.org.apache.xerces.internal.dom.ParentNode.insertBefore(ParentNode.java:287)
at
org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.prependChildElement(WSSecurityUtil.java:319)
at
org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.findWsseSecurityHeaderBlock(WSSecurityUtil.java:438)
at
org.apache.ws.security//org.apache.wss4j.dom.message.WSSecHeader.insertSecurityHeader(WSSecHeader.java:165)
at
[email protected]//org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:144)
at
[email protected]//org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109)
at
[email protected]//org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96)
at
[email protected]//org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
{code}
The root cause for this NPE is AccessControlException of Permission check
failed (permission "("java.lang.RuntimePermission"
"accessClassInPackage.com.sun.org.apache.xerces.internal.dom")"
{code:java}
"accessClassInPackage.com.sun.org.apache.xerces.internal.dom")"
2019-09-05 11:41:37,366 ERROR [stderr] (default task-1) at
java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
2019-09-05 11:41:37,368 ERROR [stderr] (default task-1) at
java.base/java.lang.Class.checkPackageAccess(Class.java:2870)
2019-09-05 11:41:37,369 ERROR [stderr] (default task-1) at
java.base/java.lang.Class.checkMemberAccess(Class.java:2851)
2019-09-05 11:41:37,370 ERROR [stderr] (default task-1) at
java.base/java.lang.Class.getMethod(Class.java:2105)
2019-09-05 11:41:37,371 ERROR [stderr] (default task-1) at
org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.getDomElement(WSSecurityUtil.java:641)
2019-09-05 11:41:37,372 ERROR [stderr] (default task-1) at
org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.prependChildElement(WSSecurityUtil.java:312)
2019-09-05 11:41:37,372 ERROR [stderr] (default task-1) at
org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.findWsseSecurityHeaderBlock(WSSecurityUtil.java:438)
2019-09-05 11:41:37,373 ERROR [stderr] (default task-1) at
org.apache.ws.security//org.apache.wss4j.dom.message.WSSecHeader.insertSecurityHeader(WSSecHeader.java:165)
{code}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
