NoClassDefFoundError in java callout - WS-Security STR-Transform

Hi,

We have written a custom java code to verify XML digital signatures in the incoming SOAP request. Code is running fine on local machine but we are getting below runtime exception when deployed on Apigee in a shared flow. I have verified and mentioned class is available in "wss4j-1.6.19.jar" which is present in shared flow.

Exception(deployment is successful, getting error on runtime):

java.lang.NoClassDefFoundError :: org/apache/ws/security/util/WSSecurityUtil

Libraries used(Available in shared flow)-

wss4j-1.6.19.jar

xmlsec-2.1.0.jar

commons-logging-1.1.1.jar

slf4j-api-1.6.1.jar

slf4j-log4j12-1.6.1.jar

Apigee private cloud version-

4.19.06.07

JDK Version-

openjdk version "1.8.0_275"

Note: There are no other jars available at Orgnization or Environment level in Apigee.

Thanks,

Lal

Solved Solved
0 8 1,289
1 ACCEPTED SOLUTION

Yep

There are problems using some JARs within Apigee. Specifically around permissions in the Apigee Message Processor. You're using OPDK, so perhaps you've relaxed the permissions to allow various JARs to execute. If that's the case, then I would suggest looking more closely at the system.log for the MP in question to understand what is leading to the NoClassDefFound. It could be a dependent class.

Also, are you aware that there is an existing callout that works in Apigee SaaS?

https://github.com/DinoChiesa/Apigee-Java-WsSec-Signature-2

It should also work in OPDK. It does verification of XML signatures for WS-Security. I wrote it specifically because I could not get wss4j to work within Apigee. This callout does not depend on wss4j, but you can use it to verify signatures. It may be of help to you.

View solution in original post

8 REPLIES 8

Yep

There are problems using some JARs within Apigee. Specifically around permissions in the Apigee Message Processor. You're using OPDK, so perhaps you've relaxed the permissions to allow various JARs to execute. If that's the case, then I would suggest looking more closely at the system.log for the MP in question to understand what is leading to the NoClassDefFound. It could be a dependent class.

Also, are you aware that there is an existing callout that works in Apigee SaaS?

https://github.com/DinoChiesa/Apigee-Java-WsSec-Signature-2

It should also work in OPDK. It does verification of XML signatures for WS-Security. I wrote it specifically because I could not get wss4j to work within Apigee. This callout does not depend on wss4j, but you can use it to verify signatures. It may be of help to you.

Thanks Dino,

There was nothing much in the System logs and stacktrace. I have restarted MP and surprisingly it started working.

Yes, we are aware about the callout, our existing solution is similar to what you have mentioned but it was not working for signatures involving algorithm "STR-Transform". We were getting below mentioned error, so wrote another solution which uses wss4j as "STRTransform" is only available in this library. We would like to continue with our existing setup if it can support "STR-Transform" without wss4j.

Exception(from our existing code):-

javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform algorithm and DOM mechanism not available at org.jcp.xml.dsig.internal.dom.DOMTransform.<init>(DOMTransform.java:93)

Sample XML structure-

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header><wsse:Security xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-ABCD">****</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-206"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="SOAP-ENV"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-205"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>***</ds:DigestValue></ds:Reference><ds:Reference URI="#STR-XYZ"><ds:Transforms><ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"><wsse:TransformationParameters><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></wsse:TransformationParameters></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>****</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>****</ds:SignatureValue><ds:KeyInfo Id="KI-ABCXYZ"><wsse:SecurityTokenReference wsu:Id="STR-XYZ"><wsse:Reference URI="#X509-ABCD" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></SOAP-ENV:Header><SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-205">***</SOAP-ENV:Body></SOAP-ENV:Envelope>

Thanks,

Lal

I don't have a test case to try... but I put together a branch that aims to handle the STR-Transform.

You can find it at

https://github.com/DinoChiesa/Apigee-Java-WsSec-Signature-2/tree/STR-Transform

Maybe you can run some tests, or.... give me a few validation test cases that I can use for my own tests.

?? Did you check? Helpful?

Hi Dino, I will test today and let you know.

ok I'll be interested to hear.

Sorry for the delay, I couldn't test it before due to some other production issue.

I deployed the code shared by you, initially I was getting below exception

javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID STR-XYZ

Which was resolved after adding below in markIdAttributes function

nl = doc.getElementsByTagNameNS(Namespaces.WSSEC, "SecurityTokenReference");

if (nl.getLength() == 1) {

Element element = (Element) nl.item(0);

element.setIdAttributeNS(Namespaces.WSU, "Id", true);

}

I was still getting "signature did not verify" error which was due to an issue with my signing certificate. After fixing the certificate it started working.

Thanks for the providing a quick solution for this Dino.

Glad to help, Lal! Thanks for the feedback.