Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-654

WSSecurityUtil throws NPE when security manager is enabled

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not A Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: WSS4J Core
    • Labels:
      None

      Description

      When security manager is enabled, the WSSecurityUtils throws NPE by a AccessControlException :

      2019-09-05 11:41:46,602 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-1) Interceptor for {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has thrown exception, unwinding now: java.lang.NullPointerException
      	at java.xml/com.sun.org.apache.xerces.internal.dom.ParentNode.internalInsertBefore(ParentNode.java:300)
      	at java.xml/com.sun.org.apache.xerces.internal.dom.ParentNode.insertBefore(ParentNode.java:287)
      	at org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.prependChildElement(WSSecurityUtil.java:319)
      	at org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.findWsseSecurityHeaderBlock(WSSecurityUtil.java:438)
      	at org.apache.ws.security//org.apache.wss4j.dom.message.WSSecHeader.insertSecurityHeader(WSSecHeader.java:165)
      	at org.apache.cxf.ws-security@3.3.2//org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:144)
      	at org.apache.cxf.ws-security@3.3.2//org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109)
      	at org.apache.cxf.ws-security@3.3.2//org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96)
      	at org.apache.cxf@3.3.2//org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
      

      The root cause for this NPE is AccessControlException of Permission check failed (permission "("java.lang.RuntimePermission" "accessClassInPackage.com.sun.org.apache.xerces.internal.dom")"

      "accessClassInPackage.com.sun.org.apache.xerces.internal.dom")"
      2019-09-05 11:41:37,366 ERROR [stderr] (default task-1) 	at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
      2019-09-05 11:41:37,368 ERROR [stderr] (default task-1) 	at java.base/java.lang.Class.checkPackageAccess(Class.java:2870)
      2019-09-05 11:41:37,369 ERROR [stderr] (default task-1) 	at java.base/java.lang.Class.checkMemberAccess(Class.java:2851)
      2019-09-05 11:41:37,370 ERROR [stderr] (default task-1) 	at java.base/java.lang.Class.getMethod(Class.java:2105)
      2019-09-05 11:41:37,371 ERROR [stderr] (default task-1) 	at org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.getDomElement(WSSecurityUtil.java:641)
      2019-09-05 11:41:37,372 ERROR [stderr] (default task-1) 	at org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.prependChildElement(WSSecurityUtil.java:312)
      2019-09-05 11:41:37,372 ERROR [stderr] (default task-1) 	at org.apache.ws.security//org.apache.wss4j.dom.util.WSSecurityUtil.findWsseSecurityHeaderBlock(WSSecurityUtil.java:438)
      2019-09-05 11:41:37,373 ERROR [stderr] (default task-1) 	at org.apache.ws.security//org.apache.wss4j.dom.message.WSSecHeader.insertSecurityHeader(WSSecHeader.java:165)
      
      

        Attachments

        1. WSS-654.patch
          8 kB
          Jim Ma

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              ema Jim Ma
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: