You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Philip Helger (Jira)" <ji...@apache.org> on 2023/05/18 08:12:00 UTC
[jira] [Commented] (WSS-660) Classloading issue when having WSS4J in 2 different WARs on the same Tomcat

    [ https://issues.apache.org/jira/browse/WSS-660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723836#comment-17723836 ] 

Philip Helger commented on WSS-660:
-----------------------------------

One work around that was found by [ashoktronix27|https://github.com/ashoktronix27] as described in [https://github.com/phax/phase4/discussions/111#discussioncomment-5936313] was to put the wss4j.jar in the "tomcat/hsared/lib" folder and remove it from the individual applications "WEB-INF/lib" folders.

Not the nicest thing to do in the world, but at least a working solution :)

> Classloading issue when having WSS4J in 2 different WARs on the same Tomcat
> ---------------------------------------------------------------------------
>
>                 Key: WSS-660
>                 URL: https://issues.apache.org/jira/browse/WSS-660
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.2.4
>            Reporter: Philip Helger
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> Hi,
> I'm struggling with a classloading issue, if wss4j-ws-security-dom.jar is contained in more than one web application (WAR) running on the same Tomcat.
> So assume I have 2 webapplications "wa1" and "wa2", which both contain a servlet "/sign" that does some WSS signing. First I am calling "/wa1/sign" (all good), than "/wa2/sign" (also good) and finall again "/wa1/sign" and here it breaks with an "InvalidAlgorithmParameterException" in "org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)"
> The reason is, that the expected class "AttachmentTransformParameterSpec" and the provided class "AttachmentTransformParameterSpec" come from different class loaders.
> The problem is the "WSSConfig.init()" method. Currenty I am calling this statically once per web application. This method indirectly calls the global "Security.addProvider()" which also registers the "AttachmentContentSignatureTransformProvider", but removes any previous matching provider. And therefore the registration of "/wa2" wins, because it is called second.
> This is btw. the full stack trace of the second call to "/wa1/sign", with a slightly pimped exception message to compare the classloaders:
>  {{java.security.InvalidAlgorithmParameterException: Expected AttachmentTransformParameterSpec from ParallelWebappClassLoader}}
>  {{context: cl2}}
>  {{delegate: false}}
>  {{----------> Parent Classloader:}}
>  {{java.net.URLClassLoader@335eadca}}
>  {{but got org.apache.wss4j.dom.transform.AttachmentTransformParameterSpec from ParallelWebappClassLoader}}
>  {{context: cl1}}
>  {{delegate: false}}
>  {{----------> Parent Classloader:}}
>  {{java.net.URLClassLoader@335eadca}}
>  {{instead}}
>  {{This class (AttachmentContentSignatureTransform) was loaded by ParallelWebappClassLoader}}
>  {{context: cl2}}
>  {{delegate: false}}
>  {{----------> Parent Classloader:}}
>  {{java.net.URLClassLoader@335eadca}}
>  {{org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform.init(AttachmentContentSignatureTransform.java:70)}}
>  {{org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.newTransform(DOMXMLSignatureFactory.java:316)}}
>  {{org.apache.wss4j.dom.message.WSSecSignatureBase.addAttachmentReferences(WSSecSignatureBase.java:298)}}
>  {{org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:119)}}
>  {{org.apache.wss4j.dom.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:426)}}
>  {{org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:400)}}
>  
> Here is the stacktrace, how the "AttachmentContentSignatureTransform" constructor is called:
>  {{Thread [qtp1843289228-22] (Suspended (breakpoint at line 66 in AttachmentContentSignatureTransform))}}
>  {{AttachmentContentSignatureTransform.<init>() line: 66}}
>  {{NativeConstructorAccessorImpl.newInstance0(Constructor<?>, Object[]) line: not available [native method]}}
>  {{NativeConstructorAccessorImpl.newInstance(Object[]) line: 62}}
>  {{DelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45}}
>  {{Constructor<T>.newInstance(Object...) line: 423}}
>  {{Provider$Service.newInstance(Object) line: 1595}}
>  {{GetInstance.getInstance(Service, Class<?>) line: 236}}
>  {{TransformService.getInstance(String, String) line: 166}}
>  {{DOMXMLSignatureFactory.newTransform(String, TransformParameterSpec) line: 312}}
>  {{WSSecSignature(WSSecSignatureBase).addAttachmentReferences(WSEncryptionPart, DigestMethod, XMLSignatureFactory) line: 298}}
>  {{WSSecSignature(WSSecSignatureBase).addReferencesToSign(Document, List<WSEncryptionPart>, WSDocInfo, XMLSignatureFactory, boolean, String) line: 119}}
>  {{WSSecSignature.addReferencesToSign(List<WSEncryptionPart>) line: 426}}
>  {{WSSecSignature.build(Crypto) line: 400}}
> Any suggestions on what I can do to work around that issue?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org