使用org.apache.wss4j工件来支持在Play Framework(Java版)应用程序内调用的SOAP服务的ws-security部分导致以下情况:
java.util.concurrent.CompletionException: java.lang.RuntimeException: java.lang.VerifyError: Bad type on operand stack
Exception Details:
Location:
org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.validateSignedEncryptedPolicies(Ljava/util/List;Ljava/util/List;Ljava/util/List;Lorg/apache/cxf/message/Message;)Z @28: invokespecial
Reason:
Type 'org/apache/wss4j/policy/model/EncryptedParts' (current frame, stack[1]) is not assignable to 'org/apache/wss4j/policy/model/SignedParts'
Current Frame:
bci: @28
flags: { }
locals: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'java/util/List', 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
stack: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'org/apache/wss4j/policy/model/EncryptedParts', integer, 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
Bytecode:
0x0000000: 2a2a b400 2d03 2c2b 1904 b700 2e9a 0005
0x0000010: 03ac 2a2a b400 2f04 2d2b 1904 b700 2e9a
0x0000020: 0005 03ac 2a2a b400 3003 2c2b 1904 b700
0x0000030: 319a 0005 03ac 2a2a b400 3203 2d2b 1904
0x0000040: b700 31ac
Stackmap Table:
same_frame(@18)
same_frame(@36)
same_frame(@54)
... suppressed 8 lines
Caused by: java.lang.RuntimeException: java.lang.VerifyError: Bad type on operand stack
Exception Details:
Location:
org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.validateSignedEncryptedPolicies(Ljava/util/List;Ljava/util/List;Ljava/util/List;Lorg/apache/cxf/message/Message;)Z @28: invokespecial
Reason:
Type 'org/apache/wss4j/policy/model/EncryptedParts' (current frame, stack[1]) is not assignable to 'org/apache/wss4j/policy/model/SignedParts'
Current Frame:
bci: @28
flags: { }
locals: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'java/util/List', 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
stack: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'org/apache/wss4j/policy/model/EncryptedParts', integer, 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
Bytecode:
0x0000000: 2a2a b400 2d03 2c2b 1904 b700 2e9a 0005
0x0000010: 03ac 2a2a b400 2f04 2d2b 1904 b700 2e9a
0x0000020: 0005 03ac 2a2a b400 3003 2c2b 1904 b700
0x0000030: 319a 0005 03ac 2a2a b400 3203 2d2b 1904
0x0000040: b700 31ac
Stackmap Table:
same_frame(@18)
same_frame(@36)
same_frame(@54)
at ir.iais.playCommons.utils.F$Promise$1.get(F.java:232) ~[play-commons_2.11-2017.0.2.12-SNAPSHOT.jar:2017.0.2.12-SNAPSHOT]
...
... 5 more
Caused by: java.lang.VerifyError: Bad type on operand stack
Exception Details:
Location:
org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.validateSignedEncryptedPolicies(Ljava/util/List;Ljava/util/List;Ljava/util/List;Lorg/apache/cxf/message/Message;)Z @28: invokespecial
Reason:
Type 'org/apache/wss4j/policy/model/EncryptedParts' (current frame, stack[1]) is not assignable to 'org/apache/wss4j/policy/model/SignedParts'
Current Frame:
bci: @28
flags: { }
locals: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'java/util/List', 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
stack: { 'org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator', 'org/apache/wss4j/policy/model/EncryptedParts', integer, 'java/util/List', 'java/util/List', 'org/apache/cxf/message/Message' }
Bytecode:
0x0000000: 2a2a b400 2d03 2c2b 1904 b700 2e9a 0005
0x0000010: 03ac 2a2a b400 2f04 2d2b 1904 b700 2e9a
0x0000020: 0005 03ac 2a2a b400 3003 2c2b 1904 b700
0x0000030: 319a 0005 03ac 2a2a b400 3203 2d2b 1904
0x0000040: b700 31ac
Stackmap Table:
same_frame(@18)
same_frame(@36)
same_frame(@54)
at org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils.configureSupportingTokenValidators(ValidatorUtils.java:97) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils.(ValidatorUtils.java:46) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.doResults(PolicyBasedWSS4JInInterceptor.java:576) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:277) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:171) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:80) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) ~[cxf-rt-ws-security-3.1.7.jar:3.1.7]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1670) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1551) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1348) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:651) ~[cxf-rt-transports-http-3.1.7.jar:3.1.7]
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277) ~[cxf-core-3.1.7.jar:3.1.7]
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) ~[cxf-rt-frontend-simple-3.1.7.jar:3.1.7]
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139) ~[cxf-rt-frontend-jaxws-3.1.7.jar:3.1.7]
at com.sun.proxy.$Proxy124.sendMessageToConsignee(Unknown Source) ~[?:?]
at ir.iais.rasam.services.AnnouncementAboutDeclarationService$1.get(AnnouncementAboutDeclarationService.java:61) ~[classes/:?]
at ir.iais.rasam.services.AnnouncementAboutDeclarationService$1.get(AnnouncementAboutDeclarationService.java:48) ~[classes/:?]
at ir.iais.playCommons.utils.F$Promise$1.get(F.java:230) ~[play-commons_2.11-2017.0.2.12-SNAPSHOT.jar:2017.0.2.12-SNAPSHOT]
...
... 5 more
The used modules of org.apache.wss4j artifacts are these:
"org.apache.wss4j" % "wss4j-bindings" % wss4jversion,
"org.apache.wss4j" % "wss4j-policy" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-dom" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-stax" % wss4jversion,
"org.apache.wss4j" % "wss4j-integration" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-policy-stax" % wss4jversion,
"org.apache.wss4j" % "wss4j-ws-security-common" % wss4jversion,
其中
wss4jVersion是:val wss4jVersion = "2.1.10"
通过搜索此部分:
Type ... (current frame, stack[1]) is not assignable to ...,我找到了this page,该问题是来自JVM的。但是,此Q / A是针对2013年的,现在必须解决此错误。此外,如果我用
org.apache.wss4j替换"org.apache.ws.security" % "wss4j" % "1.6.18"工件中的所有上述依赖项(这意味着降级软件包),则问题将得到解决,服务调用将成功进行。现在我的问题是:该漏洞在哪里说谎?在JVM或WSS4J或Play框架中?
Play框架版本:2.5.8
Java版本“ 1.8.0_121”
Java(TM)SE运行时环境(内部版本1.8.0_121-b13)
最佳答案
该问题是由Apache CXF运行时和WSS4J之间的版本不兼容引起的。cxf-rt-ws-security 3.1.7 depends on wss4j-policy 2.1.7,但是您使用wss4j-policy 2.1.10。
字节码验证程序失败,因为不能再将EncryptedParts中的wss4j-policy类分配给SignedParts(尽管在早期版本中,这些类位于相同的层次结构中)。
有两种方法可以解决此问题:
将Apache CXF运行时升级到版本3.1.11或更高版本;
将Apache WSS4J降级到2.1.7或更低版本。