Balana "evaluate" command causing NoClassDefFoundError - wso2

I got a jar for balana 1.0.5 from here:
http://maven.wso2.org/nexus/content/groups/wso2-public/org/wso2/balana/org.wso2.balana/1.0.5/
I have an instance of pdp with no configuration and I'm trying to pass it a sample xacml request string just to see if I can get output, then I can work on giving the PDP a policy configuration to run with, but I get this error when calling evaluate.
Caused by: java.lang.NoClassDefFoundError: org/apache/xerces/util/SecurityManager
at org.wso2.balana.utils.Utils.getSecuredDocumentBuilderFactory(Utils.java:107)
at org.wso2.balana.Balana.<init>(Balana.java:215)
at org.wso2.balana.Balana.getInstance(Balana.java:228)
at org.wso2.balana.ctx.RequestCtxFactory.getXacmlRequest(RequestCtxFactory.java:173)
at org.wso2.balana.ctx.RequestCtxFactory.getRequestCtx(RequestCtxFactory.java:87)
at org.wso2.balana.PDP.evaluate(PDP.java:119)
I'd like to know if I'm using the wrong source or if I'm using the right source improperly.
Is this from using the 1.0.5 balana?
Is this from using the jar instead of the source files?
If I should be downloading using mvn rather than browsing the wso2 maven repository?
I've tried tracking down the xercesimpl.jar which contains references to SecurityManager, but when I import that to the classpath, it breaks some w3c xml stuff which otherwise works fine. Is there a version of balana which uses System's SecurityManager rather than trying to depend on xerces?
I also tried loading the K-Market sample with the same 1.0.5 jar and I get the same error, and again with the 1.0.4 jar, but it stops happening with a different error if I go to the 1.0.3 jar.

Yes, the 1.0.5 balana contains a dependency that isn't present in the jar.
Maybe, but not likely, since the source files, assuming they're the same, would still contain the same dependencies.
No idea. I still haven't figured out maven 100% yet.
I think so. The error stops happening when backtracking to balana 1.0.3 jar

Related

Leiningen raises "Tried to use insecure HTTP repository without TLS." but for which dependency?

I'm using Leiningen to run a Clojure project on my Raspberry Pi 3 (running stretch), previously I used version 2.7.1 with no problems, but upgrading to the latest version on lein (2.8.1) I now get this error for some of the dependencies (but not others):
Tried to use insecure HTTP repository without TLS
However, lein doesn't tell me which dependencies are causing problems, so how do I discover which ones cause this error?
Also is it possible to disable this security feature for certain dependencies? I'm only running on a home network so consider this acceptable.
Answer edited after a comment correctly pointed out that the first method was showing only the immediate dependencies.
Generate the Maven POM:
lein pom
Wrote .../pom.xml
Following this answer for Java https://stackoverflow.com/a/3270067/561422, use the Maven dependency plugin:
mvn dependency:purge-local-repository > raw.txt
Open raw.txt in an editor and search for the string http:, that should point you on the right track.
For example with Unix command-line tools:
Unsafe repos (searching for http:):
grep http: raw.txt
Downloading from example: http://unsafe.example.org
[Note: this is not my preferred solution, but it got my project working again].
Use Leiningen 2.7.1, which doesn't have such strict security checks. Download from:
https://raw.githubusercontent.com/technomancy/leiningen/2.7.1/bin/lein
It's a bit difficult to see which extension causes the problem as they can include other deps as well.
You can still download the extension though.
From the lein FAQ;
This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this at the top of your project.clj file:
;; allow insecure downloads
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
"http" #(org.apache.maven.wagon.providers.http.HttpWagon.))
For me this worked on several older project that were not updated. In the logs you can easily track which package was downloaded via http.
So this answers the : "Is it possible to disable the security" feature question from the OP.
The other question seems to have an answer on StackOverflow already. Display complete dependency tree with Leiningen

WSO2 ESB won't start and won't say why

I'm stuck on a problem with WSO2 ESB that I can't figure out and believe...
I've installed localy an ESB for testing my implementation. I added in my installation dir in the component library a custom mediator. I restarted the esb everything was fine but I had an error in my mediator. I stopped the ESB and wanted to start it again. No errors, no logs nothing just those informations in the logs:
C:\Tools\esb\wso2esb-5.0.0\bin>wso2server.bat
JAVA_HOME environment variable is set to C:\Program Files\Java\jre8
CARBON_HOME environment variable is set to C:\Tools\WSO2ES~1.0\bin\..
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support
log4j:WARN No appenders could be found for logger (org.wso2.securevault.commons.MiscellaneousUtil).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
After a while searching what could have happend I removed the jar. Same behavior. I created a brand new installation and started it -> same behavior.
I feel kind of lost as there's no logs, no errors, no timeout, nothing just those 5 lines of logs... Please help me!
ESB Version 5.0.0
Thanks and cheers,
Frédéric
I've found a part of an answer. Or at least I've a theory:
I setted in the lib directory my jar-with-dependencies => we should add only the compilated jar file without dependency and add external dependencies manually aswell in the lib folder! I had a Junit library in my jar-with-dependency therefore I became this log4j error probably.
For the problem with the new installation, somehow when you have started your esb inside a console in windows and you don't close it and switch to a new installation folder it still start the old installation instead of the new one. Therefore I though that the errors where still coming or something like this, probably because the JVM wasn't shutdown correctly. or at least it's what I expect!
I think that your CARBON_HOME should be C:\Tools\WSO2ES~1.0\ (without bin in the path).
Not sure if this can be the only reason.

WSO2 Carbon server - error when launching

I'm trying to run wso2 api manager from the source code. I downloaded carbon4kernel and the product-apim as stated on the site. The code builds successfully and imports into eclipse, but I can't launch the carbon server.
When I execute wso2server.sh I get the following:
Error: Could not find or load main class org.wso2.carbon.launcher.Main
Even if I add the class to the classpath, it finds the Main class, but I get:
SEVERE {org.wso2.carbon.launcher.Main} - org/osgi/framework/launch/FrameworkFactory
This is using the C5 server (although the download seems to suggest carbon4) and apiman 1.9.1.
Its worth noting that the binary distribution works straight out of the box, but uses an older version of carbon (AXIS2-based), but the source code version uses OSGi.
Does anyone have this working, or point me to where its going wrong please?
We don't have any products released on top of C5. So basically at the moment you cannot build API Manager with C5.
About building and running C5, which wso2server.sh did you try to run? I guess you tired with the one at distribution/kernel/carbon-home/bin/wso2server.sh. If that is the case it won't work. What you need to do is, build the project from the root pom.xml and at distribution/kernel/target the built zip file. Unzip it and try the wso2server.sh in the bin directory.
Alternatively, without building from source, you can download and try the C5 kernel binary from https://github.com/wso2/carbon-kernel/releases/tag/v5.0.0

WSO2 ESB 4.6.0 classpath issue: httpclient classes cannot be found

On WSO2ESB 4.6.0, I want to deploy a service that depends on redmine-java-api version 1.23. When I look at maven dependencies of the library, I see it requires httpclient 4.2. Although, I put httpclient jar in $ESB_HOME/repository/components/lib folder, I get the exception:
java.lang.ClassNotFoundException: org.apache.http.impl.conn.PoolingClientConnectionManager.
Inside the jar, there is a package named org.apache.http.impl.conn and that package contains the class definition of PoolingClientConnectionManager.
I cannot figure out the problem. What could be the possible solution?
I am not sure about the exact solution. But there is httpclient jar file that is shipped with WSO2ESB by default. I think, it is httpclient 4.1.X jar that does not contain the "PoolingClientConnectionManager" class. In OSGI run time, this jar file may set as the dependency for redmine-java-api (not your httplclient 4.2) However you can get some idea... by starting the WSO2ESB with OSGI console.
sh wso2server.sh -DosgiConsole
Using OSGI console, you check what are the jar files that "org.apache.http.impl.conn" package has been exposed to the OSGI run time of the WSO2ESB. And also it would list down the all the bundles which use the given package. Please use following command.
packages org.apache.http.impl.conn
Have you import the package in MANIFEST.INF file of the bundle ?

run jetty-runner with jre's java.exe

Is there any way that I can run my war file in jetty-runner using jre's java.exe ? If I run it using jdk's java.exe its working fine. But when I run it off using jre's java.exe Spring and Tiles is not working properly. I'm getting the following Exception.
org.apache.tiles.impl.CannotRenderException: ServletException including path '/W..
Jetty itself can run fine with the jre like that, but if you're using things like jsp's which require a jdk to compile then you would need a jdk or monkey with the classpath and jsp settings to make sure it uses the ejc dependency we distribute with our jsp jars. That all assuming that it is spring/tiles there that are using jsps, if they have some other requirement on the jdk I can't say.
Assuming jsps again, alternately look into precompiling those jsps if you absolutely have to run with the jre. There are a number of approaches for that, we have a maven plugin for it 'org.mortbay.jetty:jetty-jspc-maven-plugin' and I know there are ant tasks for it as well.
cheers