Tomcat 6.x leak with WSS4J library

[Jose María Zaragoza]

Hello:

This isn't an error in Tomcat, but it's an error what happens in my web
application by using Apache CXF +  WSS4J.

I'm using Tomcat 6.0.24 and I've found that it's fixed in 7.0.41 ( but not
in 6.03.7 )
But , for bussiness matters, I cannot upgrade from 6.0.24 to 7.x

I would like if somebody can address to me about what I could patch in my
Tomcat 6.x server
to fix some that was solved in 7.x. If more info is needed , I don't any
problem providing it
I pasted the mail what I sent to Apache CXF mail list. Thanks

Q:

I'm using WSS4J with Apache CXF 2.7.3, for signing SOAP messages
So, I'm using WSS4J 1.6.9 and xmlsec 1.5.3

These SOAP messages are sent by my WAR application to a remote webservice

When I redeploy my WAR into Tomcat server *without restart it*  , I always
get the next exception:

Caused by: org.apache.ws.security.WSSecurityException: Error during
Signature:
at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:105)
~[wss4j-1.6.9.jar:1.6.9]
 at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:230)
~[wss4j-1.6.9.jar:1.6.9]
 at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
~[cxf-rt-ws-security-2.7.3.jar:2.7.3]
 at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)
~[cxf-rt-ws-security-2.7.3.jar:2.7.3]
 at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:136)
~[cxf-rt-ws-security-2.7.3.jar:2.7.3]
 at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
[cxf-api-2.7.3.jar:2.7.3]
 at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
~[cxf-api-2.7.3.jar:2.7.3]
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
~[cxf-api-2.7.3.jar:2.7.3]
 at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
~[cxf-api-2.7.3.jar:2.7.3]
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
~[cxf-rt-frontend-simple-2.7.3.jar:2.7.3]
 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
~[cxf-rt-frontend-jaxws-2.7.3.jar:2.7.3]
 ... 41 common frames omitted
Caused by: org.apache.ws.security.WSSecurityException: Signature creation
failed
 at
org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:558)
~[wss4j-1.6.9.jar:1.6.9]
 at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:99)
~[wss4j-1.6.9.jar:1.6.9]
 ... 52 common frames omitted
Caused by: java.lang.NullPointerException: null
 at
org.apache.jcp.xml.dsig.internal.dom.DOMReference.marshal(DOMReference.java:297)
~[xmlsec-1.5.3.jar:1.5.3]
at
org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo.marshal(DOMSignedInfo.java:268)
~[xmlsec-1.5.3.jar:1.5.3]
 at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.marshal(DOMXMLSignature.java:216)
~[xmlsec-1.5.3.jar:1.5.3]
 at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:329)
~[xmlsec-1.5.3.jar:1.5.3]
 at
org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:553)
~[wss4j-1.6.9.jar:1.6.9]
 ... 53 common frames omitted


Any idea ?
I've to restart Tomcat server and all works fine again
Looks like a leak

When fails, if  I enable debug logging level, I don't see the the log
message in DOMReference.java , line 297

if (log.isDebugEnabled())
{
  log.debug("Marshalling Reference");

 }

When I restart Tomcat, this log message is shown

My CXF client configuration is

<http-conf:conduit name="https://.*";>
      <http-conf:tlsClientParameters>
       <sec:trustManagers>
              <sec:keyStore type="JKS" password="xxx"
resource="truststore.jks"/>
          </sec:trustManagers>
      </http-conf:tlsClientParameters>
       <http-conf:client ConnectionTimeout="5000" ReceiveTimeout="10000" />
    </http-conf:conduit>

<jaxws:outInterceptors>
 <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
          <constructor-arg>
            <map>
                 <entry key="action" value="Signature"/>
                 <entry key="user" value="xxx"/>
                <entry key="signatureUser" value="xxxx"/>
                 <entry key="passwordCallbackClass"
value="com.test.KeystorePasswordCallback"/>
                 <entry key="signaturePropFile"
value="keystore.properties"/>
                 <entry key="signatureKeyIdentifier"
value="DirectReference"/>
                 <entry key="signatureAlgorithm" value="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                 <entry key="sigCanonicalization" value="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
                 <entry key="signatureDigestAlgorithm" value="
http://www.w3.org/2000/09/xmldsig#sha1"/>
             </map>
         </constructor-arg>
         </bean>
 </jaxws:outInterceptors>

</jaxws:client>