[
https://issues.apache.org/jira/browse/WSS-660?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Helger updated WSS-660:
------------------------------
Description:
Hi,
I'm struggling with a classloading issue, if wss4j-ws-security-dom.jar is
contained in more than one web application (WAR) running on the same Tomcat.
So assume I have 2 webapplications "wa1" and "wa2", which both contain a
servlet "/sign" that does some WSS signing. First I am calling "/wa1/sign" (all
good), than "/wa2/sign" (also good) and finall again "/wa1/sign" and here it
breaks with an "InvalidAlgorithmParameterException" in
"org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)"
The reason is, that the expected class "AttachmentTransformParameterSpec" and
the provided class "AttachmentTransformParameterSpec" come from different class
loaders.
The problem is the "WSSConfig.init()" method. Currenty I am calling this
statically once per web application. This method indirectly calls the global
"Security.addProvider()" which also registers the
"AttachmentContentSignatureTransformProvider", but removes any previous
matching provider. And therefore the registration of "/wa2" wins, because it is
called second.
This is btw. the full stack trace of the second call to "/wa1/sign", with a
slightly pimped exception message to compare the classloaders:
{{java.security.InvalidAlgorithmParameterException: Expected
AttachmentTransformParameterSpec from ParallelWebappClassLoader}}
{{context: cl2}}
{{delegate: false}}
{{----------> Parent Classloader:}}
{{java.net.URLClassLoader@335eadca}}
{{but got org.apache.wss4j.dom.transform.AttachmentTransformParameterSpec from
ParallelWebappClassLoader}}
{{context: cl1}}
{{delegate: false}}
{{----------> Parent Classloader:}}
{{java.net.URLClassLoader@335eadca}}
{{instead}}
{{This class (AttachmentContentSignatureTransform) was loaded by
ParallelWebappClassLoader}}
{{context: cl2}}
{{delegate: false}}
{{----------> Parent Classloader:}}
{{java.net.URLClassLoader@335eadca}}
{{org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)}}
{{org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newTransform(DOMXMLSignatureFactory.java:316)}}
{{org.apache.wss4j.dom.message.WSSecSignatureBase.addAttachmentReferences(WSSecSignatureBase.java:298)}}
{{org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:119)}}
{{org.apache.wss4j.dom.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:426)}}
{{org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:400)}}
Here is the stacktrace, how the "AttachmentContentSignatureTransform"
constructor is called:
{{Thread [qtp1843289228-22] (Suspended (breakpoint at line 66 in
AttachmentContentSignatureTransform))}}
{{AttachmentContentSignatureTransform.<init>() line: 66}}
{{NativeConstructorAccessorImpl.newInstance0(Constructor<?>, Object[]) line:
not available [native method]}}
{{NativeConstructorAccessorImpl.newInstance(Object[]) line: 62}}
{{DelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45}}
{{Constructor<T>.newInstance(Object...) line: 423}}
{{Provider$Service.newInstance(Object) line: 1595}}
{{GetInstance.getInstance(Service, Class<?>) line: 236}}
{{TransformService.getInstance(String, String) line: 166}}
{{DOMXMLSignatureFactory.newTransform(String, TransformParameterSpec) line:
312}}
{{WSSecSignature(WSSecSignatureBase).addAttachmentReferences(WSEncryptionPart,
DigestMethod, XMLSignatureFactory) line: 298}}
{{WSSecSignature(WSSecSignatureBase).addReferencesToSign(Document,
List<WSEncryptionPart>, WSDocInfo, XMLSignatureFactory, boolean, String) line:
119}}
{{WSSecSignature.addReferencesToSign(List<WSEncryptionPart>) line: 426}}
{{WSSecSignature.build(Crypto) line: 400}}
Any suggestions on what I can do to work around that issue?
Thanks, Philip
was:
Hi,
I'm struggling with a classloading issue, if wss4j-ws-security-dom.jar is
contained in more than one web application (WAR) running on the same Tomcat.
So assume I have 2 webapplications "wa1" and "wa2", which both contain a
servlet "/sign" that does some WSS signing. First I am calling "/wa1/sign" (all
good), than "/wa2/sign" (also good) and finall again "/wa1/sign" and here it
breaks with an "InvalidAlgorithmParameterException" in
"org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)"
The reason is, that the expected class "AttachmentTransformParameterSpec" and
the provided class "AttachmentTransformParameterSpec" come from different class
loaders.
The problem is the "WSSConfig.init()" method. Currenty I am calling this
statically once per web application. This method indirectly calls the global
"Security.addProvider()" which also registers the
"AttachmentContentSignatureTransformProvider", but removes any previous
matching provider. And therefore the registration of "/wa2" wins, because it is
called second.
This is btw. the full stack trace of the second call to "/wa1/sign", with a
slightly pimped exception message to compare the classloaders:
{{java.security.InvalidAlgorithmParameterException: Expected
AttachmentTransformParameterSpec from ParallelWebappClassLoader}}
{{ context: cl2}}
{{ delegate: false}}
{{ ----------> Parent Classloader:}}
{{ java.net.URLClassLoader@335eadca}}
{{ }}
{{ but got org.apache.wss4j.dom.transform.AttachmentTransformParameterSpec from
ParallelWebappClassLoader}}
{{ context: cl1}}
{{ delegate: false}}
{{ ----------> Parent Classloader:}}
{{ java.net.URLClassLoader@335eadca}}
{{ instead}}
{{ This class (AttachmentContentSignatureTransform) was loaded by
ParallelWebappClassLoader}}
{{ context: cl2}}
{{ delegate: false}}
{{ ----------> Parent Classloader:}}
{{ java.net.URLClassLoader@335eadca}}
{{ }}
{{
org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)}}
{{
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newTransform(DOMXMLSignatureFactory.java:316)}}
{{
org.apache.wss4j.dom.message.WSSecSignatureBase.addAttachmentReferences(WSSecSignatureBase.java:298)}}
{{
org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:119)}}
{{
org.apache.wss4j.dom.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:426)}}
{{ org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:400)}}
Here is the stacktrace, how the "AttachmentContentSignatureTransform"
constructor is called:
{{ Thread [qtp1843289228-22] (Suspended (breakpoint at line 66 in
AttachmentContentSignatureTransform))}}
{{ AttachmentContentSignatureTransform.<init>() line: 66}}
{{ NativeConstructorAccessorImpl.newInstance0(Constructor<?>, Object[]) line:
not available [native method]}}
{{ NativeConstructorAccessorImpl.newInstance(Object[]) line: 62}}
{{ DelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45}}
{{ Constructor<T>.newInstance(Object...) line: 423}}
{{ Provider$Service.newInstance(Object) line: 1595}}
{{ GetInstance.getInstance(Service, Class<?>) line: 236}}
{{ TransformService.getInstance(String, String) line: 166}}
{{ DOMXMLSignatureFactory.newTransform(String, TransformParameterSpec) line:
312}}
{{ WSSecSignature(WSSecSignatureBase).addAttachmentReferences(WSEncryptionPart,
DigestMethod, XMLSignatureFactory) line: 298}}
{{ WSSecSignature(WSSecSignatureBase).addReferencesToSign(Document,
List<WSEncryptionPart>, WSDocInfo, XMLSignatureFactory, boolean, String) line:
119}}
{{ WSSecSignature.addReferencesToSign(List<WSEncryptionPart>) line: 426}}
{{ WSSecSignature.build(Crypto) line: 400}}
{{ }}
Any suggestions on what I can do to work around that issue?
Thanks, Philip
> Classloading issue when having WSS4J in 2 different WARs on the same Tomcat
> ---------------------------------------------------------------------------
>
> Key: WSS-660
> URL: https://issues.apache.org/jira/browse/WSS-660
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.4
> Reporter: Philip Helger
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> Hi,
> I'm struggling with a classloading issue, if wss4j-ws-security-dom.jar is
> contained in more than one web application (WAR) running on the same Tomcat.
> So assume I have 2 webapplications "wa1" and "wa2", which both contain a
> servlet "/sign" that does some WSS signing. First I am calling "/wa1/sign"
> (all good), than "/wa2/sign" (also good) and finall again "/wa1/sign" and
> here it breaks with an "InvalidAlgorithmParameterException" in
> "org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)"
> The reason is, that the expected class "AttachmentTransformParameterSpec" and
> the provided class "AttachmentTransformParameterSpec" come from different
> class loaders.
> The problem is the "WSSConfig.init()" method. Currenty I am calling this
> statically once per web application. This method indirectly calls the global
> "Security.addProvider()" which also registers the
> "AttachmentContentSignatureTransformProvider", but removes any previous
> matching provider. And therefore the registration of "/wa2" wins, because it
> is called second.
> This is btw. the full stack trace of the second call to "/wa1/sign", with a
> slightly pimped exception message to compare the classloaders:
> {{java.security.InvalidAlgorithmParameterException: Expected
> AttachmentTransformParameterSpec from ParallelWebappClassLoader}}
> {{context: cl2}}
> {{delegate: false}}
> {{----------> Parent Classloader:}}
> {{java.net.URLClassLoader@335eadca}}
> {{but got org.apache.wss4j.dom.transform.AttachmentTransformParameterSpec
> from ParallelWebappClassLoader}}
> {{context: cl1}}
> {{delegate: false}}
> {{----------> Parent Classloader:}}
> {{java.net.URLClassLoader@335eadca}}
> {{instead}}
> {{This class (AttachmentContentSignatureTransform) was loaded by
> ParallelWebappClassLoader}}
> {{context: cl2}}
> {{delegate: false}}
> {{----------> Parent Classloader:}}
> {{java.net.URLClassLoader@335eadca}}
>
> {{org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)}}
>
> {{org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newTransform(DOMXMLSignatureFactory.java:316)}}
>
> {{org.apache.wss4j.dom.message.WSSecSignatureBase.addAttachmentReferences(WSSecSignatureBase.java:298)}}
>
> {{org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:119)}}
>
> {{org.apache.wss4j.dom.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:426)}}
>
> {{org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:400)}}
>
> Here is the stacktrace, how the "AttachmentContentSignatureTransform"
> constructor is called:
> {{Thread [qtp1843289228-22] (Suspended (breakpoint at line 66 in
> AttachmentContentSignatureTransform))}}
> {{AttachmentContentSignatureTransform.<init>() line: 66}}
> {{NativeConstructorAccessorImpl.newInstance0(Constructor<?>, Object[]) line:
> not available [native method]}}
> {{NativeConstructorAccessorImpl.newInstance(Object[]) line: 62}}
> {{DelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45}}
> {{Constructor<T>.newInstance(Object...) line: 423}}
> {{Provider$Service.newInstance(Object) line: 1595}}
> {{GetInstance.getInstance(Service, Class<?>) line: 236}}
> {{TransformService.getInstance(String, String) line: 166}}
> {{DOMXMLSignatureFactory.newTransform(String, TransformParameterSpec) line:
> 312}}
>
> {{WSSecSignature(WSSecSignatureBase).addAttachmentReferences(WSEncryptionPart,
> DigestMethod, XMLSignatureFactory) line: 298}}
> {{WSSecSignature(WSSecSignatureBase).addReferencesToSign(Document,
> List<WSEncryptionPart>, WSDocInfo, XMLSignatureFactory, boolean, String)
> line: 119}}
> {{WSSecSignature.addReferencesToSign(List<WSEncryptionPart>) line: 426}}
> {{WSSecSignature.build(Crypto) line: 400}}
> Any suggestions on what I can do to work around that issue?
> Thanks, Philip
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
