Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4357

NullPointerException in the TransportBindingHandler

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.6, 2.4.8, 2.5.4
    • Fix Version/s: 2.4.9, 2.5.5, 2.6.2
    • Component/s: Core
    • Labels:
      None
    • Environment:

      Tomcat7.0.27, Apache CXF2.6.0, ADFS2.0 as STS

    • Estimated Complexity:
      Unknown

      Description

      I have WSP, WSC and STS(ADFS2.0) environment.
      1. WSP:
      Use SymmetricBinding and ProtectionToken is IssuedToken
      2. STS: ADFS2.0
      use TransportBinding and client authentication is done via UT

      When I run client, I am getting following NPE. For details, please reference CXF-USER thread http://cxf.547215.n5.nabble.com/Proglem-with-loading-Apache-CXF-STS-with-UT-authentication-td5708523.html. If you need further information please reach me at ginachoi88@gmail.com

      Caused by: java.lang.NullPointerException
      at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429)
      at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:283)
      at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:240)
      at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:147)
      at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:159)
      at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:89)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
      at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
      at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:722)
      at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:602)
      at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:594)
      at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.getTokenFromSTS(IssuedTokenInterceptorProvider.java:404)
      at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:188)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
      at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
      at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89)
      at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)

      1. adfs_new_simple.wsdl
        6 kB
        Gina Choi
      2. cxf.xml
        4 kB
        Gina Choi
      3. DoubleIt.wsdl
        9 kB
        Gina Choi

        Activity

        Hide
        gchoi Gina Choi added a comment -

        Fix verified. Now client able to send RST to STS. Thanks.

        Show
        gchoi Gina Choi added a comment - Fix verified. Now client able to send RST to STS. Thanks.
        Hide
        gchoi Gina Choi added a comment -

        I debugged my client to check following error messages that I am receiving
        when I run client. I found cause for NPE. In
        org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.java,
        we have doIssuedTokenSignature( Token token, SignedEncryptedParts
        signdParts, TokenWrapper wrapper) method.

        In line 403, getSecurityToken() is allowed to return null and in my case
        value of secTok is null.

        SecurityToken secTok = getSecurityToken();

        protected SecurityToken getSecurityToken() {
        SecurityToken st =
        (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN);
        if (st == null) {
        String id =
        (String)message.getContextualProperty(SecurityConstants.TOKEN_ID);
        if (id != null)

        { st = getTokenStore().getToken(id); }


        }
        if (st != null)

        { getTokenStore().add(st); return st; }


        return null;
        }

        Following is content from line 424 to 441.
        in line 429, secTok.getX509Certificate() is called without checking value
        of secTok is null or not. This throws NPE in my case. Condition should be
        checked. On the other hand, I might need to find way to avoid having null
        value for SecurityToken .

        if (signdParts != null) {
        if (signdParts.isBody())

        { WSEncryptionPart bodyPart = convertToEncryptionPart(SAAJUtils.getBody(saaj)); sigParts.add(bodyPart); }


        429: if (secTok.getX509Certificate() != null) {
        //the "getX509Certificate" this is to workaround an issue
        in WCF
        //In WCF, for TransportBinding, in most cases, it doesn't
        want any of
        //the headers signed even if the policy says so. HOWEVER,
        for KeyValue
        //IssuedTokens, it DOES want them signed
        for (Header header : signdParts.getHeaders())

        { WSEncryptionPart wep = new WSEncryptionPart(header.getName(), header.getNamespace(), "Content"); sigParts.add(wep); }


        }
        }

        Show
        gchoi Gina Choi added a comment - I debugged my client to check following error messages that I am receiving when I run client. I found cause for NPE. In org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.java, we have doIssuedTokenSignature( Token token, SignedEncryptedParts signdParts, TokenWrapper wrapper) method. In line 403, getSecurityToken() is allowed to return null and in my case value of secTok is null. SecurityToken secTok = getSecurityToken(); protected SecurityToken getSecurityToken() { SecurityToken st = (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN); if (st == null) { String id = (String)message.getContextualProperty(SecurityConstants.TOKEN_ID); if (id != null) { st = getTokenStore().getToken(id); } } if (st != null) { getTokenStore().add(st); return st; } return null; } Following is content from line 424 to 441. in line 429, secTok.getX509Certificate() is called without checking value of secTok is null or not. This throws NPE in my case. Condition should be checked. On the other hand, I might need to find way to avoid having null value for SecurityToken . if (signdParts != null) { if (signdParts.isBody()) { WSEncryptionPart bodyPart = convertToEncryptionPart(SAAJUtils.getBody(saaj)); sigParts.add(bodyPart); } 429: if (secTok.getX509Certificate() != null) { //the "getX509Certificate" this is to workaround an issue in WCF //In WCF, for TransportBinding, in most cases, it doesn't want any of //the headers signed even if the policy says so. HOWEVER, for KeyValue //IssuedTokens, it DOES want them signed for (Header header : signdParts.getHeaders()) { WSEncryptionPart wep = new WSEncryptionPart(header.getName(), header.getNamespace(), "Content"); sigParts.add(wep); } } }
        Hide
        gchoi Gina Choi added a comment -

        Attached STS wsdl file, client configuration file and web service wsdl file.

        Show
        gchoi Gina Choi added a comment - Attached STS wsdl file, client configuration file and web service wsdl file.
        Hide
        gchoi Gina Choi added a comment -

        STS wsdl file.

        Show
        gchoi Gina Choi added a comment - STS wsdl file.

          People

          • Assignee:
            coheigea Colm O hEigeartaigh
            Reporter:
            gchoi Gina Choi
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development