2
votes

Using org.apache.wss4j artifacts to support ws-security part of a SOAP service calling inside a Play Framework (Java version) application resulted in this mess:

java.util.concurrent.CompletionException: java.lang.RuntimeException: java.lang.VerifyError: Bad type on operand stack
Exception Details:
  Location:
    org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.validateSignedEncryptedPolicies(Ljava/util/List;Ljava/util/List;Ljava/util/List;Lorg/apache/cxf/message/Message;)Z @28: invokespecial
  Reason:
    Type 'org/apache/wss4j/policy/model/EncryptedParts' (current frame, stack[1]) is not assignable to 'org/apache/wss4j/policy/model/SignedParts'
  Current Frame:
    bci: @28
    flags: { }
    locals: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'java/util/List', 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
    stack: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'org/apache/wss4j/policy/model/EncryptedParts', integer, 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
  Bytecode:
    0x0000000: 2a2a b400 2d03 2c2b 1904 b700 2e9a 0005
    0x0000010: 03ac 2a2a b400 2f04 2d2b 1904 b700 2e9a
    0x0000020: 0005 03ac 2a2a b400 3003 2c2b 1904 b700
    0x0000030: 319a 0005 03ac 2a2a b400 3203 2d2b 1904
    0x0000040: b700 31ac                              
  Stackmap Table:
    same_frame(@18)
    same_frame(@36)
    same_frame(@54)

        ... suppressed 8 lines
Caused by: java.lang.RuntimeException: java.lang.VerifyError: Bad type on operand stack
Exception Details:
  Location:
    org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.validateSignedEncryptedPolicies(Ljava/util/List;Ljava/util/List;Ljava/util/List;Lorg/apache/cxf/message/Message;)Z @28: invokespecial
  Reason:
    Type 'org/apache/wss4j/policy/model/EncryptedParts' (current frame, stack[1]) is not assignable to 'org/apache/wss4j/policy/model/SignedParts'
  Current Frame:
    bci: @28
    flags: { }
    locals: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'java/util/List', 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
    stack: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'org/apache/wss4j/policy/model/EncryptedParts', integer, 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
  Bytecode:
    0x0000000: 2a2a b400 2d03 2c2b 1904 b700 2e9a 0005
    0x0000010: 03ac 2a2a b400 2f04 2d2b 1904 b700 2e9a
    0x0000020: 0005 03ac 2a2a b400 3003 2c2b 1904 b700
    0x0000030: 319a 0005 03ac 2a2a b400 3203 2d2b 1904
    0x0000040: b700 31ac                              
  Stackmap Table:
    same_frame(@18)
    same_frame(@36)
    same_frame(@54)

        at ir.iais.playCommons.utils.F$Promise$1.get(F.java:232) ~[play-commons_2.11-2017.0.2.12-SNAPSHOT.jar:2017.0.2.12-SNAPSHOT]
        ... 
        ... 5 more
Caused by: java.lang.VerifyError: Bad type on operand stack
Exception Details:
  Location:
    org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.validateSignedEncryptedPolicies(Ljava/util/List;Ljava/util/List;Ljava/util/List;Lorg/apache/cxf/message/Message;)Z @28: invokespecial
  Reason:
    Type 'org/apache/wss4j/policy/model/EncryptedParts' (current frame, stack[1]) is not assignable to 'org/apache/wss4j/policy/model/SignedParts'
  Current Frame:
    bci: @28
    flags: { }
    locals: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'java/util/List', 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
    stack: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'org/apache/wss4j/policy/model/EncryptedParts', integer, 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
  Bytecode:
    0x0000000: 2a2a b400 2d03 2c2b 1904 b700 2e9a 0005
    0x0000010: 03ac 2a2a b400 2f04 2d2b 1904 b700 2e9a
    0x0000020: 0005 03ac 2a2a b400 3003 2c2b 1904 b700
    0x0000030: 319a 0005 03ac 2a2a b400 3203 2d2b 1904
    0x0000040: b700 31ac                              
  Stackmap Table:
    same_frame(@18)
    same_frame(@36)
    same_frame(@54)

        at org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils.configureSupportingTokenValidators(ValidatorUtils.java:97) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils.(ValidatorUtils.java:46) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.doResults(PolicyBasedWSS4JInInterceptor.java:576) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:277) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:171) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:80) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1670) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1551) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1348) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
        at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:651) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277) ~[cxf-core-3.1.7.jar:3.1.7]
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) ~[cxf-rt-frontend-simple-3.1.7.jar:3.1.7]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139) ~[cxf-rt-frontend-jaxws-3.1.7.jar:3.1.7]
        at com.sun.proxy.$Proxy124.sendMessageToConsignee(Unknown Source) ~[?:?]
        at ir.iais.rasam.services.AnnouncementAboutDeclarationService$1.get(AnnouncementAboutDeclarationService.java:61) ~[classes/:?]
        at ir.iais.rasam.services.AnnouncementAboutDeclarationService$1.get(AnnouncementAboutDeclarationService.java:48) ~[classes/:?]
        at ir.iais.playCommons.utils.F$Promise$1.get(F.java:230) ~[play-commons_2.11-2017.0.2.12-SNAPSHOT.jar:2017.0.2.12-SNAPSHOT]
        ... 
        ... 5 more

The used modules of org.apache.wss4j artifacts are these:

"org.apache.wss4j" % "wss4j-bindings" % wss4jversion,
"org.apache.wss4j" % "wss4j-policy" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-dom" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-stax" % wss4jversion,
"org.apache.wss4j" % "wss4j-integration" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-policy-stax" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-common" % wss4jversion,

Where wss4jVersion is:

val wss4jVersion = "2.1.10"

By searching this part: Type ... (current frame, stack[1]) is not assignable to ... I landed on this page that said the problem is from JVM. However this Q/A is for 2013 and by now this bug must be resolved.

Besides if I replace all of above dependencies from org.apache.wss4j artifacts by this one: "org.apache.ws.security" % "wss4j" % "1.6.18" (well it means downgrading the package), the problem will be solved and service calling will work successfully.

Now my question is: Where the bug has lied? in JVM or WSS4J or Play Framework?

Play Framework version: 2.5.8

java version "1.8.0_121"

Java(TM) SE Runtime Environment (build 1.8.0_121-b13)

1
Are you sure that you linked the correct Q&A? The linked answer is about a compiler bug and it’s from 2015, not 2013…Holger

1 Answers

4
votes

The problem is caused by the version incompatibility between Apache CXF Runtime and WSS4J.

cxf-rt-ws-security 3.1.7 depends on wss4j-policy 2.1.7, but you use wss4j-policy 2.1.10.

The bytecode verifier fails since EncryptedParts class from wss4j-policy cannot be longer assigned to SignedParts (though in earlier versions these classes were in the same hierarchy).

There are two ways to solve the problem:

  • upgrade Apache CXF Runtime to version 3.1.11 or above;
  • downgrade Apache WSS4J to version 2.1.7 or below.