PL 2.1.x in AS7.1.x

Objective

 

     This article describes the necessary steps in order to run PicketLink 2.1.x in JBoss Application Server 7.1.x.

Problems and Solutions

 

     Most of the problems described in this article are related with the version upgrade of org.apache.santuario.xmlsec module. Until JBoss AS 7.1.0 the version used for xmlsec was 1.4.5. With the JBoss AS 7.1.1 release this version was upgraded to 1.5.1.

 

     There's been some refactoring in Santuario 1.5 which imply changes to be applied on the JBoss AS modules.

 

     PicketLink relies on apache xmlsec (santuario) to get xml encryption.

Problem 1:   XMLSEC ClassNotFoundException and ClassCastException when deploying applications

 

     When deploying PicketLink applications (idp, sp, sts and pdp) some exceptions are raised claiming for classes (ClassNotFoundException) or cast problems (ClassCastExceptions). Althought PicketLink 2.1.x was updated to use xmlsec 1.5.1.

 

     The solution for this issues are described in the following thread and JIRA:

 

 

     Users need to use JBoss AS 7.1.2 (git clone and build from scratch) or apply the changes associated with the JIRA above. These changes are related with problems in both javaee.api and javax.api modules.

 

     This problem is already solved and is fixed for future AS7 releases.

Problem 2:  ClassNotFoundException: com.sun.org.apache.xml.internal.security.transforms.implementations.TransformBase64Decode

 

     When using digital signatures a ClassCastException is raised claiming for a class com.sun.org.apache.xml.internal.security.transforms.implementations.TransformBase64Decode.

 

     The first solution for this was make the change bellow at the javax.api module:

 

          <module xmlns="urn:jboss:module:1.1" name="javax.api">

              <dependencies>

                  <system export="true">

                      <paths>

                           ...

 

                         <path name="com/sun/org/apache/xml/internal/security/transforms/implementations"/> <!-- This line was added -->

                     </paths>

                  </system>

              </dependencies>

          </module>

 

      This fix must be done in AS 7.1.2 in order to have digital signatures working.

Problem 3:  Xalan Issues

When using the PDP that is shipped with PL,  you may see the following problem:

 

rg.picketlink.identity.federation.core.saml.v2.util.DocumentUtil.getNodeFromSource(DocumentUtil.java:480) [picketlink-core-2.1.0-SNAPSHOT.jar:2.1.0-SNAPSHOT]

        ... 40 more
Caused by: org.w3c.dom.DOMException: NAMESPACE_ERR: An attempt is made to create or change an object in a way which is incorrect with regard to namespaces.

        at org.apache.xerces.dom.AttrNSImpl.setName(AttrNSImpl.java:106)
        at org.apache.xerces.dom.AttrNSImpl.<init>(AttrNSImpl.java:75)
        at org.apache.xerces.dom.CoreDocumentImpl.createAttributeNS(CoreDocumentImpl.java:2134)
        at org.apache.xerces.dom.ElementImpl.setAttributeNS(ElementImpl.java:657)
        at org.apache.xalan.xsltc.trax.SAX2DOM.startElement(SAX2DOM.java:148)
        at org.apache.xml.serializer.ToXMLSAXHandler.closeStartTag(ToXMLSAXHandler.java:206)
        at org.apache.xml.serializer.ToSAXHandler.flushPending(ToSAXHandler.java:279)
        at org.apache.xml.serializer.ToXMLSAXHandler.startElement(ToXMLSAXHandler.java:646)
        at org.apache.cxf.staxutils.StaxSource.parse(StaxSource.java:138)
        at org.apache.cxf.staxutils.StaxSource.parse(StaxSource.java:274)
        at org.apache.xalan.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:576)
        at org.apache.xalan.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:630)
        ... 42 more

 

What we have found out (still talking to JBoss AS team about it)  is that this error goes away if the Apache Xalan 2.7.1 library is downloaded from apache website and added to the xalan module in JBoss AS 7.1.2

 

You can download the functional Apache Xalan library from this article. See the attachments.