1 Reply Latest reply on Feb 13, 2004 11:27 AM by vng78

    Need help: SignedObject.getObject() in servlet

    vng78

      All,

      I have a very frustrating problem with (I think) ClassLoader. I have searched through the Forums, browsed more than 20 pages and found no satisfactory solution. I'm using JBoss 3.2.3. Here's the thing:

      First, I have a servlet in which I get a SignedObject from MySQL BLOB and retrieve the actual object from the SignedObject:

      SignedObject so = helper.retrieveSignedObject();
      if(verify(so)) {
      SecureKey key = so.getObject();
      ...

      Now, the helper class successfully retrieves the SignedObject and verify() returns true so my key should be alright. Next, the call so.getObject() just fails immediately spewing:

      2004-02-13 04:51:38,842 ERROR [STDERR] Error in initializeKeyObject(): The key class cannot be found.
      2004-02-13 04:51:38,842 ERROR [STDERR] java.lang.ClassNotFoundException: No ClassLoaders found for: SecureKey
      2004-02-13 04:51:38,842 ERROR [STDERR] at org.jboss.mx.loading.LoadMgr3.beginLoadTask(LoadMgr3.java:241)
      2004-02-13 04:51:38,842 ERROR [STDERR] at org.jboss.mx.loading.UnifiedClassLoader3.loadClassImpl(UnifiedClassLoader3.java:169)
      2004-02-13 04:51:38,842 ERROR [STDERR] at org.jboss.mx.loading.UnifiedClassLoader3.loadClass(UnifiedClassLoader3.java:123)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.lang.Class.forName0(Native Method)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.lang.Class.forName(Class.java:207)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:551)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1503)
      2004-02-13 04:51:38,842 ERROR [STDERR] at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1425)
      2004-02-13 04:51:38,858 ERROR [STDERR] at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1616)
      2004-02-13 04:51:38,858 ERROR [STDERR] at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1264)
      2004-02-13 04:51:38,858 ERROR [STDERR] at java.io.ObjectInputStream.readObject(ObjectInputStream.java:322)
      2004-02-13 04:51:38,858 ERROR [STDERR] at java.security.SignedObject.getObject(SignedObject.java:161)
      2004-02-13 04:51:38,858 ERROR [STDERR] at 2004-02-13 04:51:38,858 ERROR [STDERR] at psms.web.proxy.ProxyServlet.doGet(Unknown Source)
      2004-02-13 04:51:38,858 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
      2004-02-13 04:51:38,858 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

      And at the very top of the log, I saw that there was no ClassLoader for SecureKey. I would deeply appreciate if anyone could at least give me a hint what was wrong. I read about getting the ClassLoader from current Thread and stuff like that but I can't force java.security.SignedObject to use a specific ClassLoader during the getObject(), can I?

      I saw some code by Scott where he wrote a Servlet that accesses WEB-INF/classes using Class.forName(). I tried it and I could get my SecureKey class but when I use newInstance() on it, it threw InstantiationException. Well...

      My ear structure is as follows:
      EAR
      +--- ejb.jars
      +--- war
      +---- WEB-INF/lib/secure.jar
      +---- WEB-INF/classes/.class

      The SecureKey class is in secure.jar and is only used in the servlet.
      If this is a ClassLoader and the way I package my WAR and the secure.jar library, please point me to a tutorial on the relationship between ClassLoader and WAR packaging. I would appreciate if someone could shed some light on this.

      thanks
      Vince

        • 1. Re: Need help: SignedObject.getObject() in servlet
          vng78

          Just thought you folks might want to know the conclusion. What caused the error was because my secure key, which was generated as a binary file earlier is a stub key located in different package (package A).

          I migrated the SecureKey to package B after I finished testing. The SecureKeyManager class is the real thing in package B and expects the SecureKey class to be in the same package B but found it as a class in package A, DOH! I guess this taught me not to debug any code after 3am...

          Thank you for reading :)