glassfish
  1. glassfish
  2. GLASSFISH-16619

Got com.sun.xml.wss.XWSSecurityException when ran some WSS security tests on AIX

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.1.1
    • Fix Version/s: not determined
    • Component/s: security
    • Labels:
      None
    • Environment:

      AIX, IBM jdk1.6.0

      Description

      build: V3.1.1 build 4
      OS: AIX

      Please note that this test only failed on AIX and it passed on all other OS/platforms.

      Steps to reproduce the bug:
      1.Checkout SQE workspace:
      cvs co appserver-sqe/bootstrap.xml
      (CVSROOT=:pserver:cvsguest@sunsw.us.oracle.com:/m/jws)
      cd appserver-sqe
      ant -f bootstrap.xml co-security
      2. install GF V3.1.1, start domain domain1
      3. Set env. variables
      S1AS_HOME <GF installation dir> (example: /export/sonia/v3/glassfishv3/glassfish
      SPS_HOME <workspace dir> (example: /export/sonia/appserver-sqe)
      ANT_HOME <ant dir>
      JAVA_HOME <java dir>
      4. cd appserver-sqe/pe/security/wss/annotations/servletws, run "ant all", test failed with the following error:
      [exec] </S:Envelope>==== Received Message End ====
      [exec] [exec] May 11, 2011 2:19:20 AM com.sun.xml.wss.impl.SecurityRecipient processMessagePolicy
      [exec] SEVERE: WSS0253: Message does not conform to configured policy: No Security Header found in message
      [exec] com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ TimestampPolicy(S) SignaturePolicy(P) ]: No Security Header found
      [exec] at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:818)
      [exec] at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261)
      [exec] at com.sun.xml.wss.provider.ClientSecurityAuthModule.validateResponse(ClientSecurityAuthModule.java:156)
      [exec] at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFClientAuthContext.validateResponse(GFServerConfigProvider.java:1279)
      [exec] at com.sun.enterprise.security.webservices.ClientSecurityPipe.processSecureRequest(ClientSecurityPipe.java:211)
      [exec] at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:184)
      [exec] at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
      [exec] at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
      [exec] at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
      [exec] at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
      [exec] at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
      [exec] at com.sun.xml.ws.client.Stub.process(Stub.java:323)
      [exec] at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
      [exec] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:113)
      [exec] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
      [exec] at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:144)
      [exec] at $Proxy49.getFedTax(Unknown Source)
      [exec] at com.sun.appserv.sqe.security.wss.annotations.client.TaxCalClient.callTaxService(TaxCalClient.java:85)
      [exec] at com.sun.appserv.sqe.security.wss.annotations.client.TaxCalClient.main(TaxCalClient.java:64)
      [exec] javax.xml.ws.WebServiceException: Cannot validate response for

      {http://sun.com/appserv/sqe/security/taxws}

      TaxPort
      [exec] at com.sun.enterprise.security.webservices.ClientSecurityPipe.processSecureRequest(ClientSecurityPipe.java:215)
      [exec] at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:184)
      [exec] at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
      [exec] at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
      [exec] at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
      [exec] at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
      [exec] at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
      [exec] at com.sun.xml.ws.client.Stub.process(Stub.java:323)
      [exec] at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:161)
      [exec] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:113)
      [exec] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
      [exec] at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:144)
      [exec] at $Proxy49.getFedTax(Unknown Source)
      [exec] at com.sun.appserv.sqe.security.wss.annotations.client.TaxCalClient.callTaxService(TaxCalClient.java:85)
      [exec] at com.sun.appserv.sqe.security.wss.annotations.client.TaxCalClient.main(TaxCalClient.java:64)
      [exec] Caused by: com.sun.enterprise.security.jauth.AuthException: Message does not conform to configured policy [ TimestampPolicy(S) SignaturePolicy(P) ]: No Security Header found
      [exec] at com.sun.xml.wss.provider.ClientSecurityAuthModule.validateResponse(ClientSecurityAuthModule.java:161)
      [exec] at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFClientAuthContext.validateResponse(GFServerConfigProvider.java:1279)
      [exec] at com.sun.enterprise.security.webservices.ClientSecurityPipe.processSecureRequest(ClientSecurityPipe.java:211)
      [exec] ... 14 more
      [exec] TaxCal client failed
      [exec] Generating report at /export/hudson/workspace/alex-aix3.1.1gf/appserver-sqe/test_results.xml
      [exec] [exec] [exec] -----------------------------------------
      [exec] - sec-wss-annotate-servletwsendpoint-getFedTax: FAIL -
      [exec] -----------------------------------------
      [exec] Total PASS: 0
      [exec] Total FAIL: 1
      [exec] Total DNR: 0
      [exec] ----------------------------------

      1. all.log.b07
        71 kB
        sonialiu
      2. server.log
        229 kB
        sonialiu
      3. server.log
        27 kB
        sonialiu

        Activity

        Hide
        kumarjayanti added a comment -

        Adding comments from ClassLoader experts :

        Tim Quinn Wrote :
        ---------------

        Sahoo is correct; a stream has been opened but never closed by the code which opened it.

        From a quick look at the stack trace, the stream is opened (as a side effect of classLoader.getResourceAsStream) from com.ibm.xtq.xslt.drivers.XylemRuntimePreCompiler, so presumably any fix would need to be there.

        • Tim

        On Jul 7, 2011, at 5:45 AM, Sahoo wrote:

        Hi Kumar,

        That indicates that some of the streams referring to resources returned by this class loader were still open, but there is no reference to those streams in code so finalizer is getting called. It further means there is some bad code somewhere which is not calling InputStream.close(). If this can be isolated, then one has to instrument the code to detect the bad code and fix it. btrace can be excellent option to debug such issues. Copying Tim for any additional input he may have, as he has dealt with such issues in the past and IIRC has introduced this error detection logic in ASURLClassLoader.

        HTH,
        Sahoo

        On Thursday 07 July 2011 12:58 PM, Kumar Jayanti wrote:
        Hi Shaoo, Siva,

        There is a problem happening on AIX with Metro Security SQE runs. Just wanted to know if you have any idea/hints on what is wrong.

        -------------------
        [#|2011-07-03T14:30:55.536-0700|WARNING|glassfish3.1.1|javax.enterprise.system.cor
        e.classloading.com.sun.enterprise.loader|_ThreadID=12;_ThreadName=Thread-9;|Input
        stream has been finalized or forced closed without being explicitly closed; stream
        instantiation reported in following stack trace
        java.lang.Throwable
        at com.sun.enterprise.loader.ASURLClassLoader$SentinelInputStream.<init>(A
        SURLClassLoader.java:1230)
        at com.sun.enterprise.loader.ASURLClassLoader.getResourceAsStream(ASURLCla
        ssLoader.java:878)
        at org.glassfish.web.loader.WebappClassLoader.getResourceAsStream(WebappCl
        assLoader.java:1252)
        at com.ibm.xtq.xslt.drivers.SecuritySupport$6.run(Unknown Source)
        at java.security.AccessController.doPrivileged(AccessController.java:202)
        at com.ibm.xtq.xslt.drivers.SecuritySupport.getResourceAsStream(Unknown So
        urce)
        at com.ibm.xtq.xslt.drivers.XylemRuntimePreCompiler.getResource(Unknown So
        urce)
        at com.ibm.xtq.xslt.drivers.XylemRuntimePreCompiler.getPrecompiledRuntime(
        Unknown Source)
        at com.ibm.xtq.xslt.drivers.XSLTCompiler.compileRuntime10(Unknown Source)
        at com.ibm.xtq.xslt.drivers.XSLTCompiler.compileRuntime(Unknown Source)
        at com.ibm.xtq.xslt.drivers.XSLTCompiler.compile(Unknown Source)
        at com.ibm.xtq.xslt.jaxp.compiler.TransformerFactoryImpl.createTemplates(U
        nknown Source)
        at com.ibm.xtq.xslt.jaxp.AbstractTransformerFactory.newTemplates(Unknown S
        ource)
        at com.sun.xml.wss.impl.filter.TeeFilter.init(TeeFilter.java:164)
        ----------------------

        regards,
        kumar

        Show
        kumarjayanti added a comment - Adding comments from ClassLoader experts : Tim Quinn Wrote : --------------- Sahoo is correct; a stream has been opened but never closed by the code which opened it. From a quick look at the stack trace, the stream is opened (as a side effect of classLoader.getResourceAsStream) from com.ibm.xtq.xslt.drivers.XylemRuntimePreCompiler, so presumably any fix would need to be there. Tim On Jul 7, 2011, at 5:45 AM, Sahoo wrote: Hi Kumar, That indicates that some of the streams referring to resources returned by this class loader were still open, but there is no reference to those streams in code so finalizer is getting called. It further means there is some bad code somewhere which is not calling InputStream.close(). If this can be isolated, then one has to instrument the code to detect the bad code and fix it. btrace can be excellent option to debug such issues. Copying Tim for any additional input he may have, as he has dealt with such issues in the past and IIRC has introduced this error detection logic in ASURLClassLoader. HTH, Sahoo On Thursday 07 July 2011 12:58 PM, Kumar Jayanti wrote: Hi Shaoo, Siva, There is a problem happening on AIX with Metro Security SQE runs. Just wanted to know if you have any idea/hints on what is wrong. ------------------- [#|2011-07-03T14:30:55.536-0700|WARNING|glassfish3.1.1|javax.enterprise.system.cor e.classloading.com.sun.enterprise.loader|_ThreadID=12;_ThreadName=Thread-9;|Input stream has been finalized or forced closed without being explicitly closed; stream instantiation reported in following stack trace java.lang.Throwable at com.sun.enterprise.loader.ASURLClassLoader$SentinelInputStream.<init>(A SURLClassLoader.java:1230) at com.sun.enterprise.loader.ASURLClassLoader.getResourceAsStream(ASURLCla ssLoader.java:878) at org.glassfish.web.loader.WebappClassLoader.getResourceAsStream(WebappCl assLoader.java:1252) at com.ibm.xtq.xslt.drivers.SecuritySupport$6.run(Unknown Source) at java.security.AccessController.doPrivileged(AccessController.java:202) at com.ibm.xtq.xslt.drivers.SecuritySupport.getResourceAsStream(Unknown So urce) at com.ibm.xtq.xslt.drivers.XylemRuntimePreCompiler.getResource(Unknown So urce) at com.ibm.xtq.xslt.drivers.XylemRuntimePreCompiler.getPrecompiledRuntime( Unknown Source) at com.ibm.xtq.xslt.drivers.XSLTCompiler.compileRuntime10(Unknown Source) at com.ibm.xtq.xslt.drivers.XSLTCompiler.compileRuntime(Unknown Source) at com.ibm.xtq.xslt.drivers.XSLTCompiler.compile(Unknown Source) at com.ibm.xtq.xslt.jaxp.compiler.TransformerFactoryImpl.createTemplates(U nknown Source) at com.ibm.xtq.xslt.jaxp.AbstractTransformerFactory.newTemplates(Unknown S ource) at com.sun.xml.wss.impl.filter.TeeFilter.init(TeeFilter.java:164) ---------------------- regards, kumar
        Hide
        kumarjayanti added a comment -

        Dowgrading the bug since it is only an exception during debug. I am also trying to remove some dependence on Apache Xerces which might help remove this exception (need to verify still). The change will require a new Metro Integration

        Show
        kumarjayanti added a comment - Dowgrading the bug since it is only an exception during debug. I am also trying to remove some dependence on Apache Xerces which might help remove this exception (need to verify still). The change will require a new Metro Integration
        Hide
        Alex Pineda added a comment -

        Are there plans to integrate this fix and a new Metro version in Glassfish (final GF 3.1.1) build? Need to know to plan the testing appropriately.

        Show
        Alex Pineda added a comment - Are there plans to integrate this fix and a new Metro version in Glassfish (final GF 3.1.1) build? Need to know to plan the testing appropriately.
        Hide
        kumarjayanti added a comment -

        Martin G had a discussion with Sathyan and it seems we are not going to integrate now.

        Show
        kumarjayanti added a comment - Martin G had a discussion with Sathyan and it seems we are not going to integrate now.
        Hide
        Tom Mueller added a comment -

        Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

        Show
        Tom Mueller added a comment - Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

          People

          • Assignee:
            JeffTancill
            Reporter:
            sonialiu
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: