santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: NullPointerException when redeploy webapp, possible leak
Date Thu, 01 Aug 2013 12:52:34 GMT
The original bug was caused by the fact that an old Tomcat version was in
use. Could you retry with a more recent version of Tomcat?

Colm.


On Thu, Aug 1, 2013 at 1:46 PM, Sean Mullan <sean.mullan@oracle.com> wrote:

> The NPE is thrown at line 167 in DOMSignatureMethod.java:
>
>         if (log.isDebugEnabled()) {
>
> As you suggest below, it sounds like you don't have logging configured
> correctly.
>
> --Sean
>
>
> On 08/01/2013 02:25 AM, afmunoz wrote:
>
>> Hi,
>>
>> I also have a similar error occurring when verifying the signature on an
>> inbound request. I was using Apache CXF 2.7.4 and upgraded to 2.7.6 but
>> the
>> NPE remains after an application redeploy and only fixed after a full
>> Tomcat
>> restart.
>>
>> The NPE error I'm getting is:
>> org.apache.ws.security.**WSSecurityException: The signature or
>> decryption was
>> invalid
>>          at
>> org.apache.ws.security.**processor.SignatureProcessor.**
>> verifyXMLSignature(**SignatureProcessor.java:447)
>>          at
>> org.apache.ws.security.**processor.SignatureProcessor.**handleToken(**
>> SignatureProcessor.java:231)
>>          at
>> org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(**
>> WSSecurityEngine.java:396)
>>          at
>> org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**handleMessage(**
>> WSS4JInInterceptor.java:279)
>>          at
>> org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**handleMessage(**
>> WSS4JInInterceptor.java:95)
>>          at
>> org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(**
>> PhaseInterceptorChain.java:**271)
>>          at
>> org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(**
>> ChainInitiationObserver.java:**121)
>>          at
>> org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(**
>> AbstractHTTPDestination.java:**239)
>>          at
>> org.apache.cxf.transport.**servlet.ServletController.**invokeDestination(
>> **ServletController.java:223)
>>          at
>> org.apache.cxf.transport.**servlet.ServletController.**
>> invoke(ServletController.java:**203)
>>          at
>> org.apache.cxf.transport.**servlet.ServletController.**
>> invoke(ServletController.java:**137)
>>          at
>> org.apache.cxf.transport.**servlet.CXFNonSpringServlet.**
>> invoke(CXFNonSpringServlet.**java:159)
>>          at
>> org.apache.cxf.transport.**servlet.AbstractHTTPServlet.**handleRequest(**
>> AbstractHTTPServlet.java:286)
>>          at
>> org.apache.cxf.transport.**servlet.AbstractHTTPServlet.**
>> doPost(AbstractHTTPServlet.**java:206)
>>          at javax.servlet.http.**HttpServlet.service(**
>> HttpServlet.java:637)
>>          at
>> org.apache.cxf.transport.**servlet.AbstractHTTPServlet.**
>> service(AbstractHTTPServlet.**java:262)
>>          at
>> org.apache.catalina.core.**ApplicationFilterChain.**internalDoFilter(**
>> ApplicationFilterChain.java:**290)
>>          at
>> org.apache.catalina.core.**ApplicationFilterChain.**doFilter(**
>> ApplicationFilterChain.java:**206)
>>          at
>> org.apache.catalina.core.**StandardWrapperValve.invoke(**
>> StandardWrapperValve.java:233)
>>          at
>> org.apache.catalina.core.**StandardContextValve.invoke(**
>> StandardContextValve.java:191)
>>          at
>> org.apache.catalina.core.**StandardHostValve.invoke(**
>> StandardHostValve.java:127)
>>          at
>> org.apache.catalina.valves.**ErrorReportValve.invoke(**
>> ErrorReportValve.java:102)
>>          at
>> org.apache.catalina.core.**StandardEngineValve.invoke(**
>> StandardEngineValve.java:109)
>>          at
>> org.apache.catalina.connector.**CoyoteAdapter.service(**
>> CoyoteAdapter.java:298)
>>          at
>> org.apache.coyote.http11.**Http11Processor.process(**
>> Http11Processor.java:852)
>>          at
>> org.apache.coyote.http11.**Http11Protocol$**Http11ConnectionHandler.**
>> process(Http11Protocol.java:**588)
>>          at
>> org.apache.tomcat.util.net.**JIoEndpoint$Worker.run(**
>> JIoEndpoint.java:489)
>>          at java.lang.Thread.run(Thread.**java:619)
>> Caused by: javax.xml.crypto.dsig.**XMLSignatureException:
>> java.lang.NullPointerException
>>          at
>> org.apache.jcp.xml.dsig.**internal.dom.DOMXMLSignature$**
>> DOMSignatureValue.validate(**DOMXMLSignature.java:553)
>>          at
>> org.apache.jcp.xml.dsig.**internal.dom.DOMXMLSignature.**
>> validate(DOMXMLSignature.java:**254)
>>          at
>> org.apache.ws.security.**processor.SignatureProcessor.**
>> verifyXMLSignature(**SignatureProcessor.java:420)
>>          ... 27 more
>> Caused by: java.lang.NullPointerException
>>          at
>> org.apache.jcp.xml.dsig.**internal.dom.**DOMSignatureMethod.verify(**
>> DOMSignatureMethod.java:167)
>>          at
>> org.apache.jcp.xml.dsig.**internal.dom.DOMXMLSignature$**
>> DOMSignatureValue.validate(**DOMXMLSignature.java:550)
>>          ... 29 more
>>
>>
>> What I do notice is that when I do a Tomcat start, the following 2
>> providers
>> are loaded:
>>
>> 2013-08-01 15:20:24,707 DEBUG | http-8080-2 | Registering default
>> algorithms
>> | org.apache.xml.security.Init.**dynamicInit(Init.java:114)
>> 2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider ApacheXMLDSig -
>> 1.55 was added at position: 2 |
>> org.apache.ws.security.**WSSConfig.addJceProvider(**WSSConfig.java:893)
>> 2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider STRTransform
>> was
>> added at position: 11 |
>> org.apache.ws.security.**WSSConfig.appendJceProvider(**
>> WSSConfig.java:968)
>>
>>
>> However, when I do only an app restart, only 1 provider is loaded:
>>
>> 2013-08-01 15:34:49,313 DEBUG | http-8080-2 | Registering default
>> algorithms
>> | org.apache.xml.security.Init.**dynamicInit(Init.java:114)
>> 2013-08-01 15:34:49,380 DEBUG | http-8080-2 | The provider STRTransform
>> was
>> added at position: 11 |
>> org.apache.ws.security.**WSSConfig.appendJceProvider(**
>> WSSConfig.java:968)
>>
>> I tried to look at the WSSConfig code - it appears the java Security
>> libraries think ApacheXMLDSig is already loaded, but when used it is null
>> (I'm guessing really...)
>>
>> The only 'fix' I have is to put xmlsec-1.5.5.jar in an endorsed lib, but
>> it
>> then requires commons-logging-1.1.1.jar.  After both are in the endorsed
>> lib, it works correctly after any type of restart, however, my logging is
>> messed up and it affects other apps' logging, so not ideal 'fix'.
>>
>> Any help would be appreciated.
>>
>> Thanks
>> Alex
>>
>>
>>
>>
>> --
>> View this message in context: http://apache-xml-project.**
>> 6118.n7.nabble.com/**NullPointerException-when-**
>> redeploy-webapp-possible-leak-**tp40262p40384.html<http://apache-xml-project.6118.n7.nabble.com/NullPointerException-when-redeploy-webapp-possible-leak-tp40262p40384.html>
>> Sent from the Apache XML - Security - Dev mailing list archive at
>> Nabble.com.
>>
>>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message