Search code examples
javaspringmavenspring-securityspring-ws

java.lang.ClassNotFoundException: com.sun.xml.wss.XWSSecurityException

I am having an existing SOAP based web-service and I am trying to implement Spring web service security in it using 'XwsSecurityInterceptor' and 'SpringDigestPasswordValidationCallbackHandler'on it. This is how my spring configuration looks like. enter image description here

I am deploying this application in JBoss7.1 AS.While the application boots up, following exception is thrown.It complains that the 'com.sun.xml.wss.XWSSecurityException' is not found.

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.ws.soap.addressing.server.AnnotationActionEndpointMapping#0': Invocation of init method failed; nested exception is java.lang.NoClassDefFoundError: com/sun/xml/wss/XWSSecurityException Caused by: java.lang.ClassNotFoundException: com.sun.xml.wss.XWSSecurityException

Now I am trying to understand the root cause of that issue. So I am starting with the POM file.

Following dependencies are in pom.

<dependency>
    <groupId>org.springframework.ws</groupId>
    <artifactId>spring-ws-core</artifactId>
    <version>${org.springframework.ws.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework.ws</groupId>
    <artifactId>spring-ws-security</artifactId>
    <version>${org.springframework.ws.version}</version>
</dependency>

<dependency>
    <groupId>com.sun.xml.wss</groupId>
    <artifactId>xws-security</artifactId>
    <version>3.0</version>
</dependency>

<dependency>
    <groupId>javax.activation</groupId>
    <artifactId>activation</artifactId>
    <version>1.1.1</version>
</dependency>

<dependency>
    <groupId>javax.xml</groupId>
    <artifactId>xmldsig</artifactId>
    <version>1.0</version>
</dependency>

As a part of my R&D, I went down to the older(2.1.2) versions of 'spring-ws-core' & 'spring-ws-security' along with '1.0.2' version of 'sjsxp'. Application got started and I got an authentication error when i gave an invalid password. Application responds fine if I give the correct credentials. This is what I want to achieve with latest version of these Jars.

Now I want to know why there is a missing with 2.3.0/2.4.0.

So I tried the 'mvn dependency:tree -Dverbose' and found that the 2.1.2 version brings the 'xws-security' along with it.

enter image description here

So I thought of adding that dependency.

    <dependency>
        <groupId>com.sun.xml.wss</groupId>
        <artifactId>xws-security</artifactId>
        <version>3.0</version>
    </dependency>

Now that is forcing me to add two more dependencies. I added those too.

    <dependency>
        <groupId>javax.activation</groupId>
        <artifactId>activation</artifactId>
        <version>1.1.1</version>
    </dependency>

    <dependency>
        <groupId>javax.xml</groupId>
        <artifactId>xmldsig</artifactId>
        <version>1.0</version>
    </dependency>

But the second one 'xmldsig' is missing in the maven repository. I can download it and manually add it to my local m2 repo. But I would like to fix it in a proper way. While searching i came across this thread. http://maven.40175.n5.nabble.com/where-to-get-xmldsig-1-0-jar-td92435.html

There someone is talking about an alternative.

enter image description here

And i could see that this is available inside the 2.3.0 version of 'spring-ws-security:jar'.

enter image description here

Now my question is, what needs to be avoided/added so that the application boots up with the latest version of jars?? fingers crossed.....

Solution

  • Sometimes you need to be a software archaeologist in order to debug these things.

    Looking at the pom for spring-ws-security:2.4.0.RELEASE you can see that the xws-security:3.0 dependency is optional (amongst others). You would need to read the spring-ws-security documentation to determine which optional dependencies that you should include.

    Assuming that you have decided that you need the xws-security module, you need have a look at it's pom, which is where the archeology comes into play. This module dates back to 2008, a period when Java 5 was still being supported. Java 6 (and/or Java EE) and newer supports all of the API's in this artifact's dependency list. Including any of them in your build or deployment artefacts is a recipe for pain.

    Therefore you should exclude them:

    <dependency>
    <groupId>com.sun.xml.wss</groupId>
    <artifactId>xws-security</artifactId>
    <version>3.0</version>
    <exclusions>
        <exclusion>
            <!-- Part of JDK -->
            <groupId>javax.xml.soap</groupId>
            <artifactId>saaj-api</artifactId>
        </exclusion>
        <exclusion>
            <!-- Part of Java EE -->
            <groupId>javax.mail</groupId>
            <artifactId>mail</artifactId>
        </exclusion>
        <exclusion>
            <!-- Part of JDK -->
            <groupId>javax.xml.bind</groupId>
            <artifactId>jaxb-api</artifactId>
        </exclusion>
        <exclusion>
            <!-- Part of JDK -->
            <groupId>javax.xml.stream</groupId>
            <artifactId>stax-api</artifactId>
        </exclusion>
        <exclusion>
            <!-- Part of JDK -->
            <groupId>javax.xml.crypto</groupId>
            <artifactId>xmldsig</artifactId>
        </exclusion>
        <exclusion>
            <!-- Part of JDK -->
            <groupId>javax.xml.ws</groupId>
            <artifactId>jaxws-api</artifactId>
        </exclusion>
    </exclusions>
</dependency>