tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 6.x leak with WSS4J library
Date Wed, 19 Jun 2013 20:12:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jose,

On 6/19/13 11:04 AM, Jose MarĂ­a Zaragoza wrote:
> This isn't an error in Tomcat, but it's an error what happens in
> my web application by using Apache CXF +  WSS4J.
> 
> I'm using Tomcat 6.0.24 and I've found that it's fixed in 7.0.41 ( 
> but not in 6.03.7 )

I'm surprised that it works in later versions of Tomcat, given what I
suspect the problem to be.

> But , for bussiness matters, I cannot upgrade from 6.0.24 to 7.x

You should at least upgrade to 6.0.37. 6.0.24 was a long time ago, and
security fixes are available. You are 3 years out of date right now:
https://tomcat.apache.org/security-6.html

> I would like if somebody can address to me about what I could
> patch in my Tomcat 6.x server to fix some that was solved in 7.x.
> If more info is needed , I don't any problem providing it

I believe it is your web application that needs to be patched.

> When I redeploy my WAR into Tomcat server *without restart it*  ,
> I always get the next exception:
> 
> Caused by: org.apache.ws.security.WSSecurityException: Error during
> Signature:

Why is your web application attempting to get a message's signature
during shutdown?

> at 
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
>
>
> 
~[cxf-rt-frontend-jaxws-2.7.3.jar:2.7.3]
> ... 41 common frames omitted

.. oh, we won't know.

> Caused by: org.apache.ws.security.WSSecurityException: Signature 
> creation failed at 
> org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558)
>
>
> 
~[wss4j-1.6.9.jar:1.6.9]
> at 
> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:99)
>
>
> 
~[wss4j-1.6.9.jar:1.6.9]
> ... 52 common frames omitted Caused by: 
> java.lang.NullPointerException: null at 
> org.apache.jcp.xml.dsig.internal.dom.DOMReference.marshal(DOMReference.java:297)
>
>
> 
~[xmlsec-1.5.3.jar:1.5.3]
> at 
> org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo.marshal(DOMSignedInfo.java:268)
>
>
> 
~[xmlsec-1.5.3.jar:1.5.3]
> at 
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.marshal(DOMXMLSignature.java:216)
>
>
> 
~[xmlsec-1.5.3.jar:1.5.3]
> at 
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:329)
>
>
> 
~[xmlsec-1.5.3.jar:1.5.3]
> at 
> org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:553)
>
>
> 
~[wss4j-1.6.9.jar:1.6.9]
> ... 53 common frames omitted

It would be great to see the full stack trace with no "common frames
omitted".

> Any idea ?

I think you have to use a ServletContextListener to properly tear-down
your resources, otherwise they may be torn-down after Tomcat does
things such as nulling-out static field references, which is likely to
be the problem you are encountering, here.

> I've to restart Tomcat server and all works fine again Looks like
> a leak
> 
> When fails, if  I enable debug logging level, I don't see the the 
> log message in DOMReference.java , line 297
> 
> if (log.isDebugEnabled()) { log.debug("Marshalling Reference");
> 
> }

That's because the "log" reference is null.

If you just want Tomcat to stop throwing this error, you could
probably set this system property when running Tomcat:

- -Dorg.apache.catalina.loader.
WebappClassLoader.ENABLE_CLEAR_REFERENCES=false

http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html#Other

You probably will still have a resource-management problem, but it
might stop bombing when you reload your webapp.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRwhC0AAoJEBzwKT+lPKRYPYIP/0qVTz/bfJb71+4qGMVAWRv6
LlU4x9SD1ESE0dPsDOH9nVlRQvXh0mb092ASUKN/yZS0zTD63sjRWWGintotu75L
p04TwKrWBbu3rgTKwZBxmAz83TIH7LnN79T09xNKhQhmjQorTjzJGncWXN5lv5Sr
pRukKbT8xOwRZH0K2QiOv/vUikdYOXEO2RNpNexohmvKKHHcDifiedtyB/EhHd3h
sqM5leCkg6XU0YBMsyokqB1Svv4u5aTxjBJoC9NXKHIvwj3ozIsgFc/FN8BstDh4
vuqC9mIaz4QJWx3vWleJ/6WWLmQ41JrFIG0KtA3gTcLmGpoo7033YMoQ7Dk0cgi2
3RSqMcAVY1y14X1UGv7Qc5WTJl1a1Fz5Uc1HPrGFl0TsPM9N1louZi6pp8VyCEth
8LFMvTiIhCVOxW8DK5ns0jI90VDEMeGaN9zM+OFYVYc3STd4IuQC1iE375nhP9oC
XgIxe6blKaAdwdZSKprvcFEmwf+m2onDzdL769Qh8U4kbAwj0eNkEOW0N6aF92iM
Akm+hqkyDWXTo1BMO+GNfDH7ZG9iR20ot3M1zPnsYjlUsPrEzY10VibfFPuVOgAX
D7l500QlyFOC/vrilWwMorxXm7BJBMGyY87Yl1fVjgPMWKR5fkv5AGRHGG/48Qxs
UyXmHVg+N17tkVPnAYMn
=8d8N
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message