Service calling the STS - Two different policies and class loader issue

["Joana M. F. Trindade" <jm...@gmail.com>]

Hi all,

I have a service "A" (secured with a policy on services.xml) and an STS
(Rahas based, using the default issuer from Rampart distribution, also with
a policy on services.xml). The scenario is as follows:

1.) A client application sends a request to service A, according to service
A's policy. This request contains a SAML token issued by the STS.
2.) Service A receives the client request, and sends a response based on the
validity of the SAML token.

In order to check the validity of the SAML token, service A calls the
"RequestSecurityToken" from the STS set to "RST/Validate". To make this
request, service A loads the STS policy on the
org.apache.axis2.client.ServiceClient instance. However, the Rampart handler
throws a ClassNotFoundException referring to the password callback handler
class. This class is deployed in the service, and is the same one used for
the regular policy (without any problems). From the stack trace, it seems
that the "wrong" class loader is being used. My question is: is there a way
to specify which class loader to use (for the password callback class) when
adding crypto configuration to the loaded policy?

Thanks and regards,
Joana

-- 
Student Intern
SAP Research - Security & Trust
SAP Labs France

805 Avenue du Dr. Maurice Donat
06250 Mougins
T +33/492286319
F +33/492286201
Personal Homepage: http://www.inf.ufrgs.br/~jmftrindade