It's already fixed (in WSS4J 1.6.9), which is included with the forthcoming CXF 2.7.2 release.
Colm. On Mon, Jan 7, 2013 at 11:21 AM, Peter Schyma <[email protected]> wrote: > Hi, > > we are using Fediz IDP (1.1-SNAPSHOT) with CXF STS in Karaf 2.3.0. Both > are deployed as separate bundles in the same karaf instance (together with > other bundles which also use CXF). In order to avoid problems with the > shared default bus from the CXF bundles we already use a named bus in each > bundle to configure bundle specific aspects. > > But after upgrading the karaf features to CXF 2.7.1 we always get a > ClassCastException at the STS when the IDP requests the token for the RP: > java.lang.ClassCastException: > org.jcp.xml.dsig.internal.dom.**DOMKeyInfoFactory > cannot be cast to javax.xml.crypto.dsig.keyinfo.**KeyInfoFactory > at javax.xml.crypto.dsig.keyinfo.**KeyInfoFactory.findInstance(** > KeyInfoFactory.java:158) > at javax.xml.crypto.dsig.keyinfo.**KeyInfoFactory.getInstance(** > KeyInfoFactory.java:142) > at org.apache.ws.security.saml.**SAMLUtil.** > getCredentialDirectlyFromKeyIn**fo(SAMLUtil.java:380) > at org.apache.ws.security.saml.**ext.AssertionWrapper.** > verifySignature(**AssertionWrapper.java:541) > at org.apache.cxf.sts.token.**validator.SAMLTokenValidator.** > validateToken(**SAMLTokenValidator.java:177)[** > 168:org.apache.cxf.services.**sts.core:2.7.1] > at org.apache.cxf.sts.operation.**AbstractOperation.** > validateReceivedToken(**AbstractOperation.java:554)[** > 168:org.apache.cxf.services.**sts.core:2.7.1] > at org.apache.cxf.sts.operation.**TokenIssueOperation.**issueSingle(** > TokenIssueOperation.java:114)[**168:org.apache.cxf.services.** > sts.core:2.7.1] > at org.apache.cxf.sts.operation.**TokenIssueOperation.issue(** > TokenIssueOperation.java:70)[**168:org.apache.cxf.services.**sts.core:2.7.1] > > > After tracing this down we finally discovered that the issue is originated > from a failing JCE Provider registration in wss4j. wss4j attempts to > register the "ApacheXMLDSig" provider from xmlsec jar but fails because > this class is not visible to the class loader which it tries to use: > currentThread#**contextClassLoader which is an instance of > org.apache.cxf.bus.blueprint.**BundleDelegatingClassLoader. The delegate > for the class loader is the class loader from another bundle which uses CXF > and is started prior to our STS bundle. > > wss4j ignores the failed registration attempt of the provider and later > tries to use it. But since the provider is not available, wss4j requests > the default provider. This request leads to the ClassCastException above. > > We are using latest Java 7 from Oracle and OpenJDK and both fail with the > above ClassCastException. > > Using CXF 2.7.0 the order in which our bundles are started does not matter. > > Greetings > Peter > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
