The original bug was caused by the fact that an old Tomcat version was in use. Could you retry with a more recent version of Tomcat?
Colm. On Thu, Aug 1, 2013 at 1:46 PM, Sean Mullan <[email protected]> wrote: > The NPE is thrown at line 167 in DOMSignatureMethod.java: > > if (log.isDebugEnabled()) { > > As you suggest below, it sounds like you don't have logging configured > correctly. > > --Sean > > > On 08/01/2013 02:25 AM, afmunoz wrote: > >> Hi, >> >> I also have a similar error occurring when verifying the signature on an >> inbound request. I was using Apache CXF 2.7.4 and upgraded to 2.7.6 but >> the >> NPE remains after an application redeploy and only fixed after a full >> Tomcat >> restart. >> >> The NPE error I'm getting is: >> org.apache.ws.security.**WSSecurityException: The signature or >> decryption was >> invalid >> at >> org.apache.ws.security.**processor.SignatureProcessor.** >> verifyXMLSignature(**SignatureProcessor.java:447) >> at >> org.apache.ws.security.**processor.SignatureProcessor.**handleToken(** >> SignatureProcessor.java:231) >> at >> org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(** >> WSSecurityEngine.java:396) >> at >> org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**handleMessage(** >> WSS4JInInterceptor.java:279) >> at >> org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**handleMessage(** >> WSS4JInInterceptor.java:95) >> at >> org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(** >> PhaseInterceptorChain.java:**271) >> at >> org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(** >> ChainInitiationObserver.java:**121) >> at >> org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(** >> AbstractHTTPDestination.java:**239) >> at >> org.apache.cxf.transport.**servlet.ServletController.**invokeDestination( >> **ServletController.java:223) >> at >> org.apache.cxf.transport.**servlet.ServletController.** >> invoke(ServletController.java:**203) >> at >> org.apache.cxf.transport.**servlet.ServletController.** >> invoke(ServletController.java:**137) >> at >> org.apache.cxf.transport.**servlet.CXFNonSpringServlet.** >> invoke(CXFNonSpringServlet.**java:159) >> at >> org.apache.cxf.transport.**servlet.AbstractHTTPServlet.**handleRequest(** >> AbstractHTTPServlet.java:286) >> at >> org.apache.cxf.transport.**servlet.AbstractHTTPServlet.** >> doPost(AbstractHTTPServlet.**java:206) >> at javax.servlet.http.**HttpServlet.service(** >> HttpServlet.java:637) >> at >> org.apache.cxf.transport.**servlet.AbstractHTTPServlet.** >> service(AbstractHTTPServlet.**java:262) >> at >> org.apache.catalina.core.**ApplicationFilterChain.**internalDoFilter(** >> ApplicationFilterChain.java:**290) >> at >> org.apache.catalina.core.**ApplicationFilterChain.**doFilter(** >> ApplicationFilterChain.java:**206) >> at >> org.apache.catalina.core.**StandardWrapperValve.invoke(** >> StandardWrapperValve.java:233) >> at >> org.apache.catalina.core.**StandardContextValve.invoke(** >> StandardContextValve.java:191) >> at >> org.apache.catalina.core.**StandardHostValve.invoke(** >> StandardHostValve.java:127) >> at >> org.apache.catalina.valves.**ErrorReportValve.invoke(** >> ErrorReportValve.java:102) >> at >> org.apache.catalina.core.**StandardEngineValve.invoke(** >> StandardEngineValve.java:109) >> at >> org.apache.catalina.connector.**CoyoteAdapter.service(** >> CoyoteAdapter.java:298) >> at >> org.apache.coyote.http11.**Http11Processor.process(** >> Http11Processor.java:852) >> at >> org.apache.coyote.http11.**Http11Protocol$**Http11ConnectionHandler.** >> process(Http11Protocol.java:**588) >> at >> org.apache.tomcat.util.net.**JIoEndpoint$Worker.run(** >> JIoEndpoint.java:489) >> at java.lang.Thread.run(Thread.**java:619) >> Caused by: javax.xml.crypto.dsig.**XMLSignatureException: >> java.lang.NullPointerException >> at >> org.apache.jcp.xml.dsig.**internal.dom.DOMXMLSignature$** >> DOMSignatureValue.validate(**DOMXMLSignature.java:553) >> at >> org.apache.jcp.xml.dsig.**internal.dom.DOMXMLSignature.** >> validate(DOMXMLSignature.java:**254) >> at >> org.apache.ws.security.**processor.SignatureProcessor.** >> verifyXMLSignature(**SignatureProcessor.java:420) >> ... 27 more >> Caused by: java.lang.NullPointerException >> at >> org.apache.jcp.xml.dsig.**internal.dom.**DOMSignatureMethod.verify(** >> DOMSignatureMethod.java:167) >> at >> org.apache.jcp.xml.dsig.**internal.dom.DOMXMLSignature$** >> DOMSignatureValue.validate(**DOMXMLSignature.java:550) >> ... 29 more >> >> >> What I do notice is that when I do a Tomcat start, the following 2 >> providers >> are loaded: >> >> 2013-08-01 15:20:24,707 DEBUG | http-8080-2 | Registering default >> algorithms >> | org.apache.xml.security.Init.**dynamicInit(Init.java:114) >> 2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider ApacheXMLDSig - >> 1.55 was added at position: 2 | >> org.apache.ws.security.**WSSConfig.addJceProvider(**WSSConfig.java:893) >> 2013-08-01 15:20:24,787 DEBUG | http-8080-2 | The provider STRTransform >> was >> added at position: 11 | >> org.apache.ws.security.**WSSConfig.appendJceProvider(** >> WSSConfig.java:968) >> >> >> However, when I do only an app restart, only 1 provider is loaded: >> >> 2013-08-01 15:34:49,313 DEBUG | http-8080-2 | Registering default >> algorithms >> | org.apache.xml.security.Init.**dynamicInit(Init.java:114) >> 2013-08-01 15:34:49,380 DEBUG | http-8080-2 | The provider STRTransform >> was >> added at position: 11 | >> org.apache.ws.security.**WSSConfig.appendJceProvider(** >> WSSConfig.java:968) >> >> I tried to look at the WSSConfig code - it appears the java Security >> libraries think ApacheXMLDSig is already loaded, but when used it is null >> (I'm guessing really...) >> >> The only 'fix' I have is to put xmlsec-1.5.5.jar in an endorsed lib, but >> it >> then requires commons-logging-1.1.1.jar. After both are in the endorsed >> lib, it works correctly after any type of restart, however, my logging is >> messed up and it affects other apps' logging, so not ideal 'fix'. >> >> Any help would be appreciated. >> >> Thanks >> Alex >> >> >> >> >> -- >> View this message in context: http://apache-xml-project.** >> 6118.n7.nabble.com/**NullPointerException-when-** >> redeploy-webapp-possible-leak-**tp40262p40384.html<http://apache-xml-project.6118.n7.nabble.com/NullPointerException-when-redeploy-webapp-possible-leak-tp40262p40384.html> >> Sent from the Apache XML - Security - Dev mailing list archive at >> Nabble.com. >> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
