Thanks Glen. I have created CXF-4357 in JIRA( https://issues.apache.org/jira/browse/CXF-4357?focusedCommentId=13288817#comment-13288817) and attached related files.
Gina On Mon, Jun 4, 2012 at 1:20 PM, Glen Mazza <[email protected]> wrote: > Hi Gina, cross-posting between dev and user is almost never necessary, > everybody in the former group is in the latter. > > Unless you get a response from someone else in the interim I would submit > a JIRA ticket regarding this item, preferably with an easily reproducible > test case (feel free to attach/modify my CXF STS tutorial source code to > the JIRA directly if it would help) that NPEs due to the bug and doesn't > NPE once fixed *or* a patch that clarifies what you're looking for. > > As you say, it may not just be an issue of checking for the NPE but a > logical inconsistency in the code that needs to get resolved, where a > security token is optional but nonetheless there is subsequent code acting > on that (nonexistent) security token. > > Regards, > Glen > > > On 06/01/2012 07:29 PM, Gina Choi wrote: > >> I debugged my client to check following error messages that I am >> receiving when I run client. I found cause for NPE. In >> org.apache.cxf.ws.security.**wss4j.policyhandlers.**TransportBindingHandler.java, >> we have doIssuedTokenSignature( Token token, SignedEncryptedParts >> signdParts, TokenWrapper wrapper) method. >> >> In line 403, getSecurityToken() is allowed to return null and in my case >> value of secTok is null. >> >> SecurityToken secTok = getSecurityToken(); >> >> >> >> protected SecurityToken getSecurityToken() { >> SecurityToken st = (SecurityToken)message.**getContextualProperty( >> **SecurityConstants.TOKEN); >> if (st == null) { >> String id = (String)message.**getContextualProperty(** >> SecurityConstants.TOKEN_ID); >> if (id != null) { >> st = getTokenStore().getToken(id); >> } >> } >> if (st != null) { >> getTokenStore().add(st); >> return st; >> } >> return null; >> } >> >> >> >> Following is content from line 424 to 441. >> in line 429, secTok.getX509Certificate() is called without checking value >> of secTok is null or not. This throws NPE in my case. Condition should be >> checked. On the other hand, I might need to find way to avoid having null >> value for SecurityToken . >> >> if (signdParts != null) { >> if (signdParts.isBody()) { >> WSEncryptionPart bodyPart = convertToEncryptionPart(** >> SAAJUtils.getBody(saaj)); >> sigParts.add(bodyPart); >> } >> 429: if (secTok.getX509Certificate() != null) { >> //the "getX509Certificate" this is to workaround an issue >> in WCF >> //In WCF, for TransportBinding, in most cases, it doesn't >> want any of >> //the headers signed even if the policy says so. >> HOWEVER, for KeyValue >> //IssuedTokens, it DOES want them signed >> for (Header header : signdParts.getHeaders()) { >> WSEncryptionPart wep = new WSEncryptionPart(header.** >> getName(), >> header.getNamespace(), >> "Content"); >> sigParts.add(wep); >> } >> } >> } >> >> >> >> >> >> [INFO] --- exec-maven-plugin:1.2.1:exec (default-cli) @ >> cxf-sts-tutorial-client --- >> Exception in thread "main" javax.xml.ws.soap.**SOAPFaultException: Fault >> string, and possibly fault code, not set >> at org.apache.cxf.jaxws.**JaxWsClientProxy.invoke(** >> JaxWsClientProxy.java:156) >> at $Proxy25.doubleIt(Unknown Source) >> at client.WSClient.doubleIt(**WSClient.java:18) >> at client.WSClient.main(WSClient.**java:11) >> Caused by: java.lang.NullPointerException >> at org.apache.cxf.ws.security.**wss4j.policyhandlers.** >> TransportBindingHandler.**doIssuedTokenSignature(** >> TransportBindingHandler.java:**429) >> at org.apache.cxf.ws.security.**wss4j.policyhandlers.** >> TransportBindingHandler.**handleEndorsingToken(** >> TransportBindingHandler.java:**283) >> at org.apache.cxf.ws.security.**wss4j.policyhandlers.** >> TransportBindingHandler.**handleEndorsingSupportingToken** >> s(TransportBindingHandler.**java:240) >> at org.apache.cxf.ws.security.**wss4j.policyhandlers.** >> TransportBindingHandler.**handleBinding(**TransportBindingHandler.java:** >> 147) >> at org.apache.cxf.ws.security.**wss4j.** >> PolicyBasedWSS4JOutInterceptor**$**PolicyBasedWSS4JOutInterceptor** >> Internal.handleMessage(**PolicyBasedWSS4JOutInterceptor**.java:159) >> at org.apache.cxf.ws.security.**wss4j.** >> PolicyBasedWSS4JOutInterceptor**$**PolicyBasedWSS4JOutInterceptor** >> Internal.handleMessage(**PolicyBasedWSS4JOutInterceptor**.java:89) >> at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(** >> PhaseInterceptorChain.java:**262) >> at org.apache.cxf.endpoint.**ClientImpl.doInvoke(** >> ClientImpl.java:532) >> at org.apache.cxf.endpoint.**ClientImpl.invoke(ClientImpl.** >> java:464) >> at org.apache.cxf.endpoint.**ClientImpl.invoke(ClientImpl.** >> java:367) >> at org.apache.cxf.endpoint.**ClientImpl.invoke(ClientImpl.** >> java:320) >> at org.apache.cxf.ws.security.**trust.STSClient.** >> requestSecurityToken(**STSClient.java:722) >> at org.apache.cxf.ws.security.**trust.STSClient.** >> requestSecurityToken(**STSClient.java:602) >> at org.apache.cxf.ws.security.**trust.STSClient.** >> requestSecurityToken(**STSClient.java:594) >> at org.apache.cxf.ws.security.**policy.interceptors.** >> IssuedTokenInterceptorProvider**$IssuedTokenOutInterceptor.** >> getTokenFromSTS(**IssuedTokenInterceptorProvider**.java:404) >> at org.apache.cxf.ws.security.**policy.interceptors.** >> IssuedTokenInterceptorProvider**$IssuedTokenOutInterceptor.** >> handleMessage(**IssuedTokenInterceptorProvider**.java:188) >> at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(** >> PhaseInterceptorChain.java:**262) >> at org.apache.cxf.endpoint.**ClientImpl.doInvoke(** >> ClientImpl.java:532) >> at org.apache.cxf.endpoint.**ClientImpl.invoke(ClientImpl.** >> java:464) >> at org.apache.cxf.endpoint.**ClientImpl.invoke(ClientImpl.** >> java:367) >> at org.apache.cxf.endpoint.**ClientImpl.invoke(ClientImpl.** >> java:320) >> at org.apache.cxf.frontend.**ClientProxy.invokeSync(** >> ClientProxy.java:89) >> at org.apache.cxf.jaxws.**JaxWsClientProxy.invoke(** >> JaxWsClientProxy.java:134) >> ... 3 more >> >> >> Thanks. >> >> Gina >> > > > -- > Glen Mazza > Talend Community Coders > coders.talend.com > blog: www.jroller.com/gmazza > >
