Hello everyone,
I work with an application which uses WSS4j version 1.5.11 and we get an
exception fairly regularly which seems to truncate the end of the issuer name
when it signs a request. We end up seeing these exceptions thrown on the
server when we make a web service call:
java.lang.IllegalArgumentException: improperly specified input name: CN=Foo
Bar,OU=Baz,O=Org,L=City,ST=IN,
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)
at
org.apache.ws.security.components.crypto.CryptoBase.createBCX509Name(CryptoBase.java:283)
at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:335)
at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:300)
at
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:562)
at
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:541)
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:377)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:116)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:219)
at
org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:93)
at
org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:41)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:102)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
at
org.kuali.rice.ksb.messaging.servlet.CXFServletControllerAdapter.handleRequest(CXFServletControllerAdapter.java:47)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.kuali.rice.ksb.messaging.servlet.KSBDispatcherServlet.service(KSBDispatcherServlet.java:138)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: empty AVA in RDN ""
at sun.security.x509.RDN.<init>(RDN.java:132)
at sun.security.x509.X500Name.parseDN(X500Name.java:918)
at sun.security.x509.X500Name.<init>(X500Name.java:148)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:148)
... 45 more
I checked the keystore and the issuer name is "CN=Foo
Bar,OU=Baz,O=Org,L=City,ST=IN,C=US" so it appears that it is truncating the
country off of the end but not removing the last comma which causes the name to
be invalid. Has anyone seen anything like this before? If there's any other
information I can provide please let me know.
Thanks,
James
