7 Replies Latest reply on May 29, 2015 2:40 AM by asoldano

    OpenSAML classloading issue

    fcorneli
    fcorneli Jan 3, 2015 4:32 AM

      Hi,

       

      Seems like there are some classloading issues when trying to use OpenSAML to construct an STS and at the same time (within the same WAR) doing a SAML Browser POST using OpenSAML.

      I can only get one of the two stable. For example, if I embed OpenSAML within my WAR, I get the following STS error:

      loader constraint violation: when resolving method "org.apache.ws.security.saml.ext.AssertionWrapper.getSaml2()Lorg/opensaml/saml2/core/Assertion;"

      If I don't embed OpenSAML within my WAR, then the Browser POST explodes with:

      java.lang.ClassNotFoundException: org.apache.velocity.app.Velocity from [Module "org.opensaml:main" from local module loader

      I tried to "fix" org/opensaml/main/module.xml to include velocity, xerces, servlet api, esapi, bcprov, but I still get weird exceptions.

      As work-around I'll do my own SAML library just using JAXB and JSR 105. Anyway, using OpenSAML should not be this painful, so maybe someone from JBoss can dive into this classloading issue.

      Although JBoss EAP 6/WildFly is already far less painful as it comes to classloading issues (compared to JBoss AS 5/6), the fight continues for libraries that nest themselves rather deep (via META-INF/services loading, or security providers). Isn't there really a solution to get rid of classloading issues within Java once and for all?

       

      Kind Regards,
      Frank.

      • 1904 Views
      • Tags:
        • 1. Re: OpenSAML classloading issue
          jaikiran
          jaikiran Jan 4, 2015 1:23 AM (in response to fcorneli)

          Can you please post the entire exception stacktrace and more details about your application packaging and what jars they contain?

            • Actions
          • 2. Re: OpenSAML classloading issue
            fcorneli
            fcorneli Jan 4, 2015 4:02 AM (in response to jaikiran)

            I'll try to isolate the "event" within an Arquillian based integration test that I can post.

              • Actions
            • 3. Re: Re: OpenSAML classloading issue
              fcorneli
              fcorneli Jan 4, 2015 5:27 AM (in response to fcorneli)

              The following Arquillian integration test already demonstrates that the org.opensaml module within JBoss is incomplete when you try to initialize OpenSAML.

              import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.opensaml.DefaultBootstrap;

@RunWith(Arquillian.class)
public class OpenSamlTest {

    @Deployment
    public static WebArchive createTestArchive() {
        WebArchive war = ShrinkWrap
                .create(WebArchive.class, "test.war")
                .addAsManifestResource(new StringAsset("Dependencies: org.opensaml\n"), "MANIFEST.MF");
        return war;
    }

    @Test
    public void testBootstrap() throws Exception {
        DefaultBootstrap.bootstrap();
    }
}

              This gives you the following exception:

              java.lang.NoClassDefFoundError: org/apache/velocity/app/Velocity
    at org.opensaml.DefaultBootstrap.initializeVelocity(DefaultBootstrap.java:172) [opensaml-2.5.3.redhat-2.jar:2.5.3.redhat-2]
    at org.opensaml.DefaultBootstrap.bootstrap(DefaultBootstrap.java:89) [opensaml-2.5.3.redhat-2.jar:2.5.3.redhat-2]

              According to https://docs.jboss.org/author/display/JBWS/WS-Trust+and+STS#WS-TrustandSTS-SecurityTokenService%28STS%29 you need to add org.apache.cxf.impl if you want to implement an STS. This one refers to the org.opensaml module. Hence the JBoss provided opensaml will be used in the STS case. If you then at the same time want to implement SAML Browser POST using OpenSAML, you run into the above trouble.

                • Actions
              • 4. Re: OpenSAML classloading issue
                jaikiran
                jaikiran Jan 4, 2015 5:43 AM (in response to fcorneli)

                This appears to be fixed in WildFly upstream (nightly builds) during this commit https://github.com/wildfly/wildfly/commit/b8f774c920b97ce18b7f8994edfa5f3149ccec1d#diff-600376dffeb79835ede4a0b285078036R208 where opensaml dependency was upgraded to 2.6.1 in which I no longer see any velocity reference in the DefaultBootstrap code.

                 

                However, it's an issue in WildFly 8.2.0.Final and probably even JBoss EAP. I don't think either of these versions ship a velocity module, so it probably isn't a case of adding that dependency in the opensaml module.xml.

                  • Actions
                • 5. Re: OpenSAML classloading issue
                  gtardini
                  gtardini May 26, 2015 7:45 AM (in response to jaikiran)

                  I have the same problem with JBoss EAP 6.3.3. So is there no way you can use OpenSaml module?

                    • Actions
                  • 6. Re: OpenSAML classloading issue
                    jaikiran
                    jaikiran May 27, 2015 11:16 PM (in response to gtardini)

                    Don't know if this affects EAP. Maybe asoldano would know.

                      • Actions
                    • 7. Re: OpenSAML classloading issue
                      asoldano
                      asoldano May 29, 2015 2:40 AM (in response to jaikiran)

                      Did anybody of you try adding a dependency to the org.apache.velocity module within the opensaml one? I'd say that would solve the NCDFE above.

                      In any case, if this is affecting a JBoss EAP version, please get in touch with the support and have a Bugzilla ticket opened for it, we'll fix the issue.

                        • Actions