Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-320

ClassCastException when verifying XML signature, multiple WARs deployed to same Tomcat instance

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.6.2, 1.6.3
    • 1.6.4
    • WSS4J Core
    • Tomcat 7.0.16, 6.0.33

    Description

      When I have multiple WARs deployed in the same Tomcat instance, I receive the following exception when attempting to verify a signature in the security header:

      Caused by: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: java.lang.ClassCastException: org.apache.ws.security.WSDocInfo cannot be cast to org.apache.ws.security.WSDocInfo
      at org.jcp.xml.dsig.internal.dom.DOMReference.transform(Unknown Source)
      at org.jcp.xml.dsig.internal.dom.DOMReference.validate(Unknown Source)
      at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(Unknown Source)
      at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:348)
      ... 34 more
      Caused by: javax.xml.crypto.dsig.TransformException: java.lang.ClassCastException: org.apache.ws.security.WSDocInfo cannot be cast to org.apache.ws.security.WSDocInfo
      at org.apache.ws.security.transform.STRTransform.transformIt(STRTransform.java:264)
      at org.apache.ws.security.transform.STRTransform.transform(STRTransform.java:121)
      at org.jcp.xml.dsig.internal.dom.DOMTransform.transform(Unknown Source)
      ... 38 more
      Caused by: java.lang.ClassCastException: org.apache.ws.security.WSDocInfo cannot be cast to org.apache.ws.security.WSDocInfo
      at org.apache.ws.security.transform.STRTransform.transformIt(STRTransform.java:184)
      ... 40 more

      When I put each WAR into its own Tomcat instance, the issue does not occur. I am using WSS4J with CXF on Tomcat 7.0.16.

      I do not know much about the implementation of WSS4J, but I suspect this is a class loader issue related to https://issues.apache.org/jira/browse/WSS-282.

      Attachments

        1. wss4j-1.6.4-SNAPSHOT.jar
          383 kB
          Colm O hEigeartaigh

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            coheigea Colm O hEigeartaigh
            jpnh John Lazos
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment