'[jira] [Commented] (WSS-660) Classloading issue when having WSS4J in 2 different WARs on the same To'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    [jira] [Commented] (WSS-660) Classloading issue when having WSS4J in 2 different WARs on the same To
From:       "Philip Helger (Jira)" <jira () apache ! org>
Date:       2023-05-18 8:12:00
Message-ID: JIRA.13271462.1575054189000.8413.1684397520012 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723836#comment-17723836 \
] 

Philip Helger commented on WSS-660:
-----------------------------------

One work around that was found by [ashoktronix27|https://github.com/ashoktronix27] as \
described in [https://github.com/phax/phase4/discussions/111#discussioncomment-5936313] \
was to put the wss4j.jar in the "tomcat/hsared/lib" folder and remove it from the \
individual applications "WEB-INF/lib" folders.

Not the nicest thing to do in the world, but at least a working solution :)

> Classloading issue when having WSS4J in 2 different WARs on the same Tomcat
> ---------------------------------------------------------------------------
> 
> Key: WSS-660
> URL: https://issues.apache.org/jira/browse/WSS-660
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.2.4
> Reporter: Philip Helger
> Assignee: Colm O hEigeartaigh
> Priority: Major
> 
> Hi,
> I'm struggling with a classloading issue, if wss4j-ws-security-dom.jar is contained \
> in more than one web application (WAR) running on the same Tomcat. So assume I have \
> 2 webapplications "wa1" and "wa2", which both contain a servlet "/sign" that does \
> some WSS signing. First I am calling "/wa1/sign" (all good), than "/wa2/sign" (also \
> good) and finall again "/wa1/sign" and here it breaks with an \
> "InvalidAlgorithmParameterException" in \
> "org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)"
>  The reason is, that the expected class "AttachmentTransformParameterSpec" and the \
> provided class "AttachmentTransformParameterSpec" come from different class \
> loaders. The problem is the "WSSConfig.init()" method. Currenty I am calling this \
> statically once per web application. This method indirectly calls the global \
> "Security.addProvider()" which also registers the \
> "AttachmentContentSignatureTransformProvider", but removes any previous matching \
> provider. And therefore the registration of "/wa2" wins, because it is called \
> second. This is btw. the full stack trace of the second call to "/wa1/sign", with a \
> slightly pimped exception message to compare the classloaders: \
> {{java.security.InvalidAlgorithmParameterException: Expected \
> AttachmentTransformParameterSpec from ParallelWebappClassLoader}} {{context: cl2}}
> {{delegate: false}}
> {{----------> Parent Classloader:}}
> {{java.net.URLClassLoader@335eadca}}
> {{but got org.apache.wss4j.dom.transform.AttachmentTransformParameterSpec from \
> ParallelWebappClassLoader}} {{context: cl1}}
> {{delegate: false}}
> {{----------> Parent Classloader:}}
> {{java.net.URLClassLoader@335eadca}}
> {{instead}}
> {{This class (AttachmentContentSignatureTransform) was loaded by \
> ParallelWebappClassLoader}} {{context: cl2}}
> {{delegate: false}}
> {{----------> Parent Classloader:}}
> {{java.net.URLClassLoader@335eadca}}
> {{org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)}}
>  {{org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newTransform(DOMXMLSignatureFactory.java:316)}}
>  {{org.apache.wss4j.dom.message.WSSecSignatureBase.addAttachmentReferences(WSSecSignatureBase.java:298)}}
>  {{org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:119)}}
>  {{org.apache.wss4j.dom.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:426)}}
>  {{org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:400)}}
> 
> Here is the stacktrace, how the "AttachmentContentSignatureTransform" constructor \
> is called: {{Thread [qtp1843289228-22] (Suspended (breakpoint at line 66 in \
> AttachmentContentSignatureTransform))}} \
> {{AttachmentContentSignatureTransform.<init>() line: 66}} \
> {{NativeConstructorAccessorImpl.newInstance0(Constructor<?>, Object[]) line: not \
> available [native method]}} {{NativeConstructorAccessorImpl.newInstance(Object[]) \
> line: 62}} {{DelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45}}
> {{Constructor<T>.newInstance(Object...) line: 423}}
> {{Provider$Service.newInstance(Object) line: 1595}}
> {{GetInstance.getInstance(Service, Class<?>) line: 236}}
> {{TransformService.getInstance(String, String) line: 166}}
> {{DOMXMLSignatureFactory.newTransform(String, TransformParameterSpec) line: 312}}
> {{WSSecSignature(WSSecSignatureBase).addAttachmentReferences(WSEncryptionPart, \
> DigestMethod, XMLSignatureFactory) line: 298}} \
> {{WSSecSignature(WSSecSignatureBase).addReferencesToSign(Document, \
> List<WSEncryptionPart>, WSDocInfo, XMLSignatureFactory, boolean, String) line: \
> 119}} {{WSSecSignature.addReferencesToSign(List<WSEncryptionPart>) line: 426}}
> {{WSSecSignature.build(Crypto) line: 400}}
> Any suggestions on what I can do to work around that issue?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic