LinkedIn
Twitter
Hello comunity,
I'm trying to use this solution to create WSSec decrypt and encrypt policies in Apigee: DinoChiesa/Apigee-Java-WsSec-RsaEncryption: a configurable custom policy for Apigee, which performs ...
But I'm having an error because the jar can't be loaded.
Example of error:
Failed to instantiate the JavaCallout Class com.google.apigee.callouts.wsseccrypto.Decrypt |
Maybe the problem is similar to this one: Solved: Implementation of a Java callout that performs WS-... - Google Cloud Community. I suspect it because I was having the same problem with signing/validation until I found this thread and applied the suggested solution.
Example of policy:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout name="java-wssec-decrypt">
<DisplayName>WS-Security Decrypt Message</DisplayName>
<Properties>
<Property name='debug'>true</Property>
<Property name="source">message.content</Property>
<Property name="private-key">{private.key.content}</Property>
</Properties>
<ClassName>com.google.apigee.callouts.wsseccrypto.Decrypt</ClassName>
<ResourceURL>java://apigee-wssec-xmlenc-20210409.jar</ResourceURL>
</JavaCallout>
Edit: Apigee's debug show the error described as followed:
Solved
1 ACCEPTED SOLUTION
Thank you for such a fast reply to my issue. I'll try out what you suggested, and I'll update this comment with the results
Edit:
@dchiesa1 I've tried what you suggested, but I haven't succeeded in making it load yet.
I've changed more than what you asked for, though.
* I've added buildscript.sh, copying it from your other repository, so I could find some missing dependencies (expressions-1.0.0.jar and message-flow-1.0.0.jar);
* I've changed the following piece of code because javax.xml.bind was not being found, I guess it may have been removed from the newer JDK:
* I've added a .gitignore just to avoid uploading some jar files, I'm afraid that would cause some licensing issues if I do so (not relevant for the problem, though);
Here's a link to the comparison between your repo and my fork if you want to take a look: Comparing DinoChiesa:master...Farenheith:fix-bouncyCastle · DinoChiesa/Apigee-Java-WsSec-RsaEncrypti...
I've tried some approaches based on this attempt:
* I've updated just apigee-wssec-xmlenc-20210409.jar and tested it, still the same error.
* I've added every jar maven fetched. You can see in the image below the list:
Notice that, in your repository, you have commons-codec-1.15.jar in the resources folder; here I'm using 1.13, though, which was fetched during compilation.
* I've also tried using the same thing above, but with commons-codec-1.15.jar.
All the approaches failed, unfortunately, but I'll keep investigating to see if I can find anything.
If you happen to have any other ideas in the meantime, I'm glad to try it out. I wonder if there's anything I can do to get a more meaningful error from Apigee in that situation, as the current debug output doesn't give much of what's causing the failed loading.
Edit 2: oh, one more thing: to compile it, I need to skip tests because of some incompatibility between newer Java versions and jmockit code.
Edit 3: I changed jmockit to mokito in an attempt to fix the errors I was experiencing during test so I could compile the jar using just `mvn clean package`, as stated in the README.
With this last attempt, the resources I've uploaded were the following:
I push a new commit in my fork with these changes. I couldn't make it work, though. I think I'll try to find some other possibility, comparing the encrypt repo with the signature one
Edit 4: My last attempt to solve this problem was to add BouncyCastle to the included jars. Still the same error
Well. I'm using signature + ecnryption together, maybe there are some conflict between the two? I've noticed that, even when I don't use the decrypt step while sending a nonencrypted message, I was getting an error at the Validade step that wasn't happening before:
| Failed to execute JavaCallout. 'java.lang.String com.google.apigee.util.XmlUtils.asString(org.w3c.dom.Node)' |
I validated my whole project looking for accidental changes, but found none. Then, I removed all the jars I'd added when trying to decrypt the received message, and the error stopped.
I see that there are a class XmlUtil inside both repositories and they have the same namespace, but only the one from Signature have a "asString" method, so I suppose things are getting mixed up when I try to use both jars together.
I'll do one more test changing the namespace of encryption repo to com.example so no conflict will happen between the two. Maybe I'll have a nice surprise.
Edit: Yeah, the error at Validate step stopped, but when I test a flow where I try to Decrypt a message, I'm still getting the error `Failed to instantiate the JavaCallout Class com.example.apigee.callouts.wsseccrypto.Decrypt`.
I'll do as you said, I'll get in touch with apigee support. I can also try bringing the Decrypt and Encrypt operations to the Signature repository to check if it works.
Edit 2:
I've merged both projects in case I was doing something wrong trying to fix encryption one's dependencies, and the result now is that Validate is still working, Decrypt is not instantiating yet. Here's the comparison with the base branch I've used.
Comparing DinoChiesa:remove-str-transform...Farenheith:merge-encryption · DinoChiesa/Apigee-Java-WsS...
I think it at least narrows down the issues:
* Both callouts uses bouncyCastle, so, I'm sure both are using the same version;
* Just Decrypt callout uses xmlenc. Maybe it's not loading because it can't load xmlenc dependency.
I'm using 3.0.3 version, which is the one I could compatibilize with the current pom.xml jdk version
I think now I can play around, maybe commenting the part where xmlenc is used to see if the callout will be loaded, to confirm the cause
Edit 3:
@dchiesa1 I have finally found the issue.
The problem is happening at this line:
static {
org.apache.xml.security.Init.init();
}
It's throwing an error and, as it's part of static class initialization, it can't be captured properly, resulting in a limited feedback to the user. I changed the moment this code is ran at this commit: refactor: changing initialization moment · Farenheith/Apigee-Java-WsSec-Signature-2@99d4585
Now, it'll run inside the try catch of execute method, making it possible to have a better error trace.
With this new approach, I have the following error detected:
access denied ("java.security.SecurityPermission" "org.apache.xml.security.register") java.security.AccessControlException: access denied ("java.security.SecurityPermission" "org.apache.xml.security.register") at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.base/java.security.AccessController.checkPermission(AccessController.java:897) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:90) at org.apache.xml.security.utils.JavaUtils.checkRegisterPermission(JavaUtils.java:219) at org.apache.xml.security.utils.XMLUtils.setDsPrefix(XMLUtils.java:103) at org.apache.xml.security.utils.ElementProxy.setNamespacePrefix(ElementProxy.java:487) at org.apache.xml.security.utils.ElementProxy.registerDefaultPrefixes(ElementProxy.java:500) at org.apache.xml.security.Init.dynamicInit(Init.java:114) at org.apache.xml.security.Init.init(Init.java:87) at com.google.apigee.callouts.wsseccrypto.WssecCalloutBase.initialize(WssecCalloutBase.java:71) at com.google.apigee.callouts.wsseccrypto.Decrypt.execute(Decrypt.java:279) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:277) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.lambda$execute$0(JavaCalloutStepDefinition.java:383) at java.base/java.security.AccessController.doPrivileged(Native Method) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:382) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:202) at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:175) at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:117) at com.apigee.flow.execution.AsyncExecutionStrategy.execute(AsyncExecutionStrategy.java:30) at com.apigee.flow.MessageFlowImpl.execute(MessageFlowImpl.java:636) at com.apigee.flow.MessageFlowImpl.resume(MessageFlowImpl.java:450) at com.apigee.flow.execution.ExecutionContextImpl.lambda$resume$0(ExecutionContextImpl.java:146) at com.apigee.threadpool.RunnableWrapperForMDCPreservation.run(RunnableWrapperForMDCPreservation.java:22) at com.apigee.threadpool.QueueMetricsAwareTask.run(QueueMetricsAwareTask.java:31) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) |
So, it indeed seems to be an issue with recent apigee x update, where security has been improved.
Do you have any suggestions on how I could solve this issue? I'm willing to contribute to your repos if you allow me, but I think you have the expertise on how to deal with this new situation, as you know really well both sides of the coin here, and I'd appreciate very much your guidance.
Edit 4:
I found a similar issue here Java call out access denied "org.apache.xml.securi... - Google Cloud Community
Which seems to be solved by updating xmlenc to 4.0.4, which will also force me to update the target Java version to 11. I'll try it out to see if I can solve the issue.
