santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <sean.mul...@oracle.com>
Subject Re: NullPointerException when redeploy webapp, possible leak
Date Thu, 01 Aug 2013 12:46:50 GMT
The NPE is thrown at line 167 in DOMSignatureMethod.java:

         if (log.isDebugEnabled()) {

As you suggest below, it sounds like you don't have logging configured 
correctly.

--Sean

On 08/01/2013 02:25 AM, afmunoz wrote:
> Hi,
>
> I also have a similar error occurring when verifying the signature on an
> inbound request. I was using Apache CXF 2.7.4 and upgraded to 2.7.6 but the
> NPE remains after an application redeploy and only fixed after a full Tomcat
> restart.
>
> The NPE error I'm getting is:
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid
>          at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:447)
>          at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
>          at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
>          at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)
>          at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
>          at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>          at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>          at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
>          at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
>          at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:203)
>          at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137)
>          at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:159)
>          at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
>          at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>          at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
>          at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>          at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>          at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>          at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>          at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>          at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>          at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>          at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>          at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
>          at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>          at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>          at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.xml.crypto.dsig.XMLSignatureException:
> java.lang.NullPointerException
>          at
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:553)
>          at
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)
>          at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:420)
>          ... 27 more
> Caused by: java.lang.NullPointerException
>          at
> org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:167)
>          at
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:550)
>          ... 29 more
>
>
> What I do notice is that when I do a Tomcat start, the following 2 providers
> are loaded:
>
> 2013-08-01 15:20:24,707 DEBUG | http-8080-2 | Registering default algorithms
> | org.apache.xml.security.Init.dynamicInit(Init.java:114)
> 2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider ApacheXMLDSig -
> 1.55 was added at position: 2 |
> org.apache.ws.security.WSSConfig.addJceProvider(WSSConfig.java:893)
> 2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider STRTransform was
> added at position: 11 |
> org.apache.ws.security.WSSConfig.appendJceProvider(WSSConfig.java:968)
>
>
> However, when I do only an app restart, only 1 provider is loaded:
>
> 2013-08-01 15:34:49,313 DEBUG | http-8080-2 | Registering default algorithms
> | org.apache.xml.security.Init.dynamicInit(Init.java:114)
> 2013-08-01 15:34:49,380 DEBUG | http-8080-2 | The provider STRTransform was
> added at position: 11 |
> org.apache.ws.security.WSSConfig.appendJceProvider(WSSConfig.java:968)
>
> I tried to look at the WSSConfig code - it appears the java Security
> libraries think ApacheXMLDSig is already loaded, but when used it is null
> (I'm guessing really...)
>
> The only 'fix' I have is to put xmlsec-1.5.5.jar in an endorsed lib, but it
> then requires commons-logging-1.1.1.jar.  After both are in the endorsed
> lib, it works correctly after any type of restart, however, my logging is
> messed up and it affects other apps' logging, so not ideal 'fix'.
>
> Any help would be appreciated.
>
> Thanks
> Alex
>
>
>
>
> --
> View this message in context: http://apache-xml-project.6118.n7.nabble.com/NullPointerException-when-redeploy-webapp-possible-leak-tp40262p40384.html
> Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.
>


Mime
View raw message