7 Replies Latest reply on Jun 26, 2014 2:46 AM by Grzegorz Grzybek

    Using XMLSignatureFactory

    paul romanchenko Newbie

      The following problem checked in fuse 4, 6.0, 6.1;

      Having fresh clean jboss fuse installation (unzip; ./bin/karaf) and simply bundle with activator:

      package xmlsectest;

       

      import javax.xml.crypto.dsig.XMLSignatureFactory;

       

      import org.osgi.framework.*;

       

      public class PrintCL implements BundleActivator{

       

          @Override

          public void start(BundleContext context) throws Exception {

              XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");

              System.out.println(fac.toString());

          }

       

          @Override

          public void stop(BundleContext context) throws Exception {

             

       

          }

      }

       

      I get the exception:

       

      Caused by: java.lang.ClassCastException: org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory cannot be cast to javax.xml.crypto.dsig.XMLSignatureFactory

              at javax.xml.crypto.dsig.XMLSignatureFactory.findInstance(XMLSignatureFactory.java:202)[187:org.apache.santuario.xmlsec:1.5.6]

              at javax.xml.crypto.dsig.XMLSignatureFactory.getInstance(XMLSignatureFactory.java:186)[187:org.apache.santuario.xmlsec:1.5.6]

              at xmlsectest.PrintCL.start(PrintCL.java:11)[247:xmlsec.test:0.0.1]

              at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:645)[org.apache.felix.framework-4.0.3.redhat-610379.jar:]

              at org.apache.felix.framework.Felix.doActivateBundle(Felix.java:2387)[org.apache.felix.framework-4.0.3.redhat-610379.jar:]

              ... 19 more

       

      Any ideas how to use XMLSignatureFactory?

        • 1. Re: Using XMLSignatureFactory
          Grzegorz Grzybek Novice

          Hello Paul

           

          Have a look at this project: https://github.com/grgrzybek/grgr-tests/tree/master/grgr-test-dsig.

          With default fuse-6.1.redhat-379, I got this when starting this bundle:

           

          Fabric8:karaf@root> install -s mvn:grgr.test/test-dsig/0.1.0.BUILD-SNAPSHOT
          Bundle ID: 158
          Error executing command: Error installing bundles:
               Unable to start bundle mvn:grgr.test/test-dsig/0.1.0.BUILD-SNAPSHOT: Unresolved constraint in bundle grgr.test.dsig [158]: Unable to resolve 158.0: missing requirement [158.0] osgi.wiring.package; (osgi.wiring.package=javax.xml.crypto.dsig)
          

           

          But when I added this line:

           

           javax.xml.crypto.dsig, \
          

           

          To correct VM settings in FUSE_HOME/etc/jre.properties, I was able to start it succesfully:

           

          Fabric8:karaf@root> install -s mvn:grgr.test/test-dsig/0.1.0.BUILD-SNAPSHOT
          org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory@4c0a4063
          Bundle ID: 159
          

           

          regards

          Grzegorz Grzybek

          • 3. Re: Using XMLSignatureFactory
            Grzegorz Grzybek Novice

            I've updated my example here: https://github.com/grgrzybek/grgr-tests/tree/master/grgr-test-dsig to make it work with Fuse 6.1.GA.

            In Fuse, there is apache santuario xmlsec library available, so you have to make some additional steps:

            Here's the working bundle activator:

            org.apache.xml.security.Init.init();
            Security.insertProviderAt(new org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI(), 0);
            XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
            System.out.println(fac.toString());
            

            regards

            Grzegorz Grzybek

            • 4. Re: Using XMLSignatureFactory
              Kevin Conner Master

              Hiya Grzegorz

               

              We have been hitting this recently within the Overlord projects and came up with another way to workaround the issue, this is related to Gary's question from earlier.

               

              Our workaround was to have the javax.xml.crypto packages exposed through the system bundle, hence the question about jre.properties and child containers, and to modify the xmlsec.jar MANIFEST.MF so that it also Imported the packages, thereby allowing those in the jar to be rewired to the versions in the system bundle.

               

              What are your thoughts on this?

               

              Kev

              • 5. Re: Re: Using XMLSignatureFactory
                Grzegorz Grzybek Novice

                Hi Kevin

                Modifying etc/jre.properties is one thing, but hacking in the contents of xmlsec.jar is a warning sign, that it should be done in other way...

                doesn't:

                Security.insertProviderAt(new org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI(), 0);
                

                work for you?

                Also the question is - do you want to use Apache Santuario version or the one provided with JDK (in the latter case - you should uninstall xmlsec bundle...

                 

                regards

                Grzegorz Grzybek

                • 6. Re: Re: Re: Using XMLSignatureFactory
                  Kevin Conner Master

                  Modifying etc/jre.properties is one thing, but hacking in the contents of xmlsec.jar is a warning sign, that it should be done in other way...

                   

                  I would prefer not to modify xmlsec.jar, that is definitely a warning as you say, but this seems to be the 'lesser evil' as it leads to a cleaner classloading hierarchy shared with the system classes.


                  doesn't:

                   

                   

                  1. Security.insertProviderAt(new org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI(), 0); 

                  work for you?


                  If this was localised to certain hierarchies then I would be happier but having it registered through java.security.Security, especially if multiple bundles are having to do this, is likely to lead to problems when one of them is undeployed.

                  Also the question is - do you want to use Apache Santuario version or the one provided with JDK (in the latter case - you should uninstall xmlsec bundle...

                   

                  We are not interested in the Santuario provider but rather some of the other packages being exported within xmlsec.

                   

                  Thanks,

                    Kev

                  • 7. Re: Using XMLSignatureFactory
                    Grzegorz Grzybek Novice

                    Hello Kevin

                    Can I provide some more help with this? Or have you found solution?

                     

                    regards
                    Grzegorz