Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

saaj-impl 1.5.3 regression with WS-Security and Apache Santuario #183

Closed
sephiroth-j opened this issue Jun 17, 2021 · 2 comments · Fixed by #211
Closed

saaj-impl 1.5.3 regression with WS-Security and Apache Santuario #183

sephiroth-j opened this issue Jun 17, 2021 · 2 comments · Fixed by #211

Comments

@sephiroth-j
Copy link
Contributor

After updating to jaxws-rt 2.3.4 with saaj-impl 1.5.3 an exception occurs when validating incoming SOAP messages secured with ws-security using wssx-impl 2.4.5.

This as been also reported as SANTUARIO-570 and it might be related to #171.

How to reproduce

Please see the attached sample project. It contains a README how to reproduce the error.
metro-jax-ws-issue-226.zip

Exception

com.sun.xml.wss.XWSSecurityException: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:128)
        at de.sephiroth_j.demo.echo.WsSecurityHandler.verifyMessage(WsSecurityHandler.java:108)
        at de.sephiroth_j.demo.echo.WsSecurityHandler.handleMessage(WsSecurityHandler.java:67)
        at de.sephiroth_j.demo.echo.WsSecurityHandler.handleMessage(WsSecurityHandler.java:22)
        at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessage(HandlerProcessor.java:259)
        at com.sun.xml.ws.handler.HandlerProcessor.callHandlersRequest(HandlerProcessor.java:110)
        at com.sun.xml.ws.handler.ServerSOAPHandlerTube.callHandlersOnRequest(ServerSOAPHandlerTube.java:108)
        at com.sun.xml.ws.handler.HandlerTube.processRequest(HandlerTube.java:97)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1106)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
        at com.sun.xml.ws.api.pipe.Fiber.run(Fiber.java:783)
        at com.sun.xml.ws.api.pipe.Fiber.start(Fiber.java:390)
        at com.sun.xml.ws.server.WSEndpointImpl.processAsync(WSEndpointImpl.java:348)
        at com.sun.xml.ws.server.WSEndpointImpl.process(WSEndpointImpl.java:378)
        at com.sun.xml.ws.transport.http.HttpAdapter.invokeAsync(HttpAdapter.java:704)
        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:182)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:131)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:167)
        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:831)
Caused by: com.sun.xml.wss.XWSSecurityException: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:892)
        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:608)
        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:69)
        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:248)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:840)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:792)
        at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:231)
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:126)
        ... 43 common frames omitted
Caused by: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
        at java.xml/com.sun.org.apache.xerces.internal.dom.ElementImpl.setIdAttributeNode(ElementImpl.java:931)
        at com.sun.xml.messaging.saaj.soap.impl.ElementImpl.setIdAttributeNode(ElementImpl.java:1695)
        at org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo.<init>(DOMKeyInfo.java:107)
        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:152)
        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:191)
        at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:147)
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:750)
        ... 50 common frames omitted
@sephiroth-j
Copy link
Contributor Author

@lukasj, would be great if you could have look at this issue. In June we talked about it in eclipse-ee4j/metro-jax-ws#226

@sephiroth-j
Copy link
Contributor Author

sephiroth-j commented Apr 18, 2023

While testing with the changes of #173 I found the reason for this error and the fix is quite easy.

Similar to removeAttributeNode(Attr) in ElementImpl, setIdAttributeNode(Attr, boolean) must be invoked with the actual delegate attribute instance and not with the instance of com.sun.xml.messaging.saaj.soap.impl.AttrImpl. Because element is of type com.sun.org.apache.xerces.internal.dom.ElementNSImpl and the owner element of the given attribute is of type com.sun.xml.messaging.saaj.soap.impl.ElementImpl calling element.setIdAttributeNode with the SAAJ attribute does not work.

removeAttributeNode

@Override
public Attr removeAttributeNode(Attr oldAttr) throws DOMException {
if (oldAttr instanceof AttrImpl) {
oldAttr = ((AttrImpl)oldAttr).delegate;
}
return element.removeAttributeNode(oldAttr);
}

So, this will fix the error.

@Override
public void setIdAttributeNode(Attr idAttr, boolean isId) throws DOMException {
element.setIdAttributeNode(idAttr, isId);
}

     @Override
     public void setIdAttributeNode(Attr idAttr, boolean isId) throws DOMException {
-        element.setIdAttributeNode(idAttr, isId);
+        if (idAttr instanceof AttrImpl) {
+            element.setIdAttributeNode(((AttrImpl)idAttr).delegate, isId);
+        } else {
+            element.setIdAttributeNode(idAttr, isId);
+        }
     }

sephiroth-j added a commit to sephiroth-j/metro-saaj that referenced this issue Apr 18, 2023
This change fixes the delegation of setting the ID attribute node.

fixes eclipse-ee4j#183

Signed-off-by: Ronny Perinke <[email protected]>
lukasj pushed a commit that referenced this issue Apr 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant