Hi,
we are using Fediz IDP (1.1-SNAPSHOT) with CXF STS in Karaf 2.3.0. Both
are deployed as separate bundles in the same karaf instance (together
with other bundles which also use CXF). In order to avoid problems with
the shared default bus from the CXF bundles we already use a named bus
in each bundle to configure bundle specific aspects.
But after upgrading the karaf features to CXF 2.7.1 we always get a
ClassCastException at the STS when the IDP requests the token for the RP:
java.lang.ClassCastException:
org.jcp.xml.dsig.internal.dom.DOMKeyInfoFactory cannot be cast to
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory
at
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory.findInstance(KeyInfoFactory.java:158)
at
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory.getInstance(KeyInfoFactory.java:142)
at
org.apache.ws.security.saml.SAMLUtil.getCredentialDirectlyFromKeyInfo(SAMLUtil.java:380)
at
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:541)
at
org.apache.cxf.sts.token.validator.SAMLTokenValidator.validateToken(SAMLTokenValidator.java:177)[168:org.apache.cxf.services.sts.core:2.7.1]
at
org.apache.cxf.sts.operation.AbstractOperation.validateReceivedToken(AbstractOperation.java:554)[168:org.apache.cxf.services.sts.core:2.7.1]
at
org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle(TokenIssueOperation.java:114)[168:org.apache.cxf.services.sts.core:2.7.1]
at
org.apache.cxf.sts.operation.TokenIssueOperation.issue(TokenIssueOperation.java:70)[168:org.apache.cxf.services.sts.core:2.7.1]
After tracing this down we finally discovered that the issue is
originated from a failing JCE Provider registration in wss4j. wss4j
attempts to register the "ApacheXMLDSig" provider from xmlsec jar but
fails because this class is not visible to the class loader which it
tries to use: currentThread#contextClassLoader which is an instance of
org.apache.cxf.bus.blueprint.BundleDelegatingClassLoader. The delegate
for the class loader is the class loader from another bundle which uses
CXF and is started prior to our STS bundle.
wss4j ignores the failed registration attempt of the provider and later
tries to use it. But since the provider is not available, wss4j requests
the default provider. This request leads to the ClassCastException above.
We are using latest Java 7 from Oracle and OpenJDK and both fail with
the above ClassCastException.
Using CXF 2.7.0 the order in which our bundles are started does not matter.
Greetings
Peter
