CXF web service client: "Cannot create a secure XMLInputFactory" - web-services

I am wrote and deployed a CXF web service into a Tomcat server using the instructions here. The web service deploys fine as I can see the WSDL file in a web browser.
My standalone Java client program doesn't work though. Here is the code:
System.out.println("Creating client");
Properties properties = System.getProperties();
properties.put("org.apache.cxf.stax.allowInsecureParser", "1");
System.setProperties(properties);
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setServiceClass(ExampleWebService.class);
factory.setAddress("http://X.X.X.X:9090/WebServices/ExampleWebService");
ExampleWebService exampleWebService = (ExampleWebService)factory.create();
System.out.println("Done creating client");
exampleWebService.method1("test");
System.out.println("After calling method1");
I copied all the jar files (including the woodstox-core-asl-4.2.0.jar file) from the CXF 2.7.7 distribution into the client program's classpath, and when I run the client I get the following exception:
Creating client
Nov 20, 2013 8:05:26 PM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
INFO: Creating Service {http://webservices.server/}ExampleWebServiceService from class server.webservices.ExampleWebService
Done creating client
javax.xml.ws.soap.SOAPFaultException: Cannot create a secure XMLInputFactory
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)
at $Proxy38.printString(Unknown Source)
at ExampleNmsWebServiceClient.printString(ExampleNmsWebServiceClient.java:29)
at ExampleNmsWebServiceClient.main(ExampleNmsWebServiceClient.java:40)
Caused by: org.apache.cxf.binding.soap.SoapFault: Cannot create a secure XMLInputFactory
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:84)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:51)
at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:40)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 3 more
I found a page saying the "Cannot create a secure XMLInputFactory" can be fixed by setting the org.apache.cxf.stax.allowInsecureParser property to "1", which is why I tried to set it in the System properties, but that didn't work. I also tried to add -Dorg.apache.cxf.stax.allowInsecureParser=1 to the java command that runs the client, but that didn't work either. (Nor did setting it to "true" instead of 1.) Any ideas on how to solve this error?

Had this problem when upgrading from CXF 2.3.x to 2.7.x
Added stax2-api and woodstox-core-asl jars from the 2.7.x CXF distribution and the webservice works again.

Since version 2.7.4, CXF added a feature in order to ensure that the XMLInputFactory is secured and loaded from woodstox (>= 4.2.x packages, see StaxUtil implementation) in order to deal with a Denial of Service vulnerability
But the fact is that in a J2EE environment, by default, webservices-rt.jar has the priority over war libs (and then over the woodstock jar). That is why the non-secure implementation is loaded, triggering the exception.
Turning off the org.apache.cxf.stax.allowInsecureParser property, is not an option as it brings back the DOS vulnerability.
In order to make the class loader to prefer woodstox (ear/war lib) over webservices-rt.jar (j2ee lib), the solution depends on your application server and is described in CXF application server specific configuration guide

I had similar problem
After adding this -Dorg.apache.cxf.stax.allowInsecureParser=1 to the JAVA_OPTIONS in setDomainEnv.sh, It is working fine now.

I had this problem on weblogic and fixed the problem by adding this to my weblogic-application.xml
<prefer-application-packages>
<package-name>com.ctc.wstx.*</package-name>
</prefer-application-packages>

Check for any other versions of woodstox that may be found on the classpath or in the jre's lib/endorsed or similar. It sounds like an older 4.1 version may be picked up.

I had the same problem whenI upgraded CXF to 2.7.x. I resolved this by adding following dependencies in POM
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>stax2-api</artifactId>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.4.1</version>
</dependency>

There was not an answer here that describes the root cause of this error message for my issue. We had transitive dependencies on both a new version
woodstox-core-asl-4.2.0.jar
and and old
wstx-asl-3.2.1.jar
Excluding the old version from our build did the trick.
If you dig into the bowels of the old version, you'll find that it fails with an exception that ends up getting wrapped in another exception with this generic message that is not very informative.

I hit this issue and it was because, when i upgraded from an older version of cxf, i did not change stax-api-*.jar to stax2-api-*.jar in my client classpath.

If you upgrade to 3.0.0 or later, you shouldn't add woodstock dependencies

Interestingly I had this issue in docker container and not while running it on tomcat server.
The problem that I faced was that the project had another lower version of wstx-asl-3.2.7 and the class loader probably could have loaded this versions first.
I got rid of it and the necessary woodstox was considered and the problem was solved.

The problem was some missing CXF jar files in the web service deployment on the server. This was tough to debug because there were no errors on the server.

In my case there were two jars (Cxf 3.0.1, Jboss 7.1.1)
javax.xml.stream:stax-api:jar:1.0-2:compile
org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
I removed the 1st one and it started working

from my end, I had to do both remove the stax-api-1.0-2.jar (leaving stax2-api-3.1.4.jar & woodstock 4.4 jar) and specify in the weblogic-application.xml at the end of it:
.
.
<package-name>com.ctc.wstx.*</package-name>
<package-name>org.codehaus.stax2.*</package-name>
</prefer-application-packages>

I had this problem on weblogic, Application get Deployed Successfully but when i fired the soap-request then i got this fault : Cannot create a secure XMLInputFactory.
fixed the problem by adding this package to weblogic-application.xml
com.ctc.wstx.*

I looked through my dependencies to find version conflicts with woodstox or stax-api.
Turns out that axis2-transport-http introduced these conflicts.
If you happen to have this dependency as well, add the following exclusion to your pom dependency that introduced it
<exclusions>
<exclusion>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-transport-http</artifactId>
</exclusion>
</exclusions>

I can solve this problem by adding weblogic.xml in the WEB-INF folder of my app with the following code:
<prefer-web-inf-classes>false</prefer-web-inf-classes>
<prefer-application-packages>
<package-name>com.ctc.*</package-name>
</prefer-application-packages>

1: -Dorg.apache.cxf.stax.allowInsecureParser=1 to the JAVA_OPTIONS
or
2: rename woodstox-core-asl-4.4.1.jar -> awoodstox-core-asl-4.4.1.jar

Related

SOAP UI 5.7.0: Error The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

In SOAP latest version 5.7.0, trying to check SOAP request for java based application. But, getting below error. Tried multiple options provided over stack overflow to update "set JAVA_OPTS=%JAVA_OPTS% -Dsoapui.https.protocols="TLSv1.2" in soapui batch file and "-Dsoapui.https.protocols=TLSv1.2" in SoapUI-5.7.0.vmoptions file. Also, try to update same at java level as well. Still same issue is occuring.
ERROR:Exception in request: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]
FYI, this was working in previous version of SOAP but after upgrade same thing is not working as expected.
It will be helpful that solution is provided for same.
Solution on TLS related error in latest SOAP UI 5.7.0
Try with following:
Open "C:\Program Files\SmartBear\SoapUI-5.7.0\bin\SoapUI-5.7.0.vmoptions"
Append -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.0 if it's not there already.
Then Open "C:\Program Files\SmartBear\SoapUI-5.7.0\jre\conf\security\java.security"
Find jdk.tls.disabledAlgorithms, either comment it with # or remove specific versions, e.g. TLSv1, TLSv1.1
Restart SoapUI and try again.

Missing wso2is stub maven dependencies

I'm trying to migrate my project from wso2is-5.2.0 to wso2is-5.3.0.
My project has dependencies to many wso2is stub.
For exemple for oauth2 webservices I have
<dependency>
<groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.oauth.stub</artifactId>
<version>5.1.3</version>
</dependency>
witch is available in wso2is nexus repository :
http://maven.wso2.org/nexus/content/repositories/releases/org/wso2/carbon/identity/org.wso2.carbon.identity.oauth.stub/5.1.3/
in wso2is-5.3 according to $wso2is_home/repository/components/plugins the stub is now in version 5.3.4
witch in not available in
http://maven.wso2.org/nexus/content/repositories/releases/org/wso2/carbon/identity/org.wso2.carbon.identity.oauth.stub/
Same problem for artifacts
org.wso2.carbon.identity.user.registration.stub
org.wso2.carbon.identity.mgt.stub
org.wso2.carbon.user.mgt.stub
org.wso2.carbon.authenticator.stub
org.wso2.carbon.um.ws.api.stub
I cannot keep previous version because wso2is-52 client stub calling wso2is-53 webservice I got error like this for exemple :
Caused by: java.lang.Exception: org.apache.axis2.databinding.ADBException: Unexpected subelement {http://dto.oauth.identity.carbon.wso2.org/xsd}state
Are the correct version going to be deployed later or a new nexus repository exists somewhere else or did I missed something ?
Regards
The group ids of the identity components were changed due to some technical requirement. So you have to refer the dependencies with the new group ids.
The org.wso2.carbon.authenticator.stub group id should remain unchanged as org.wso2.carbon because it comes from carbon kernel. The group ids of the rest of the listed ones should be changed as follows.
org.wso2.carbon.identity.oauth.stub should have org.wso2.carbon.identity.inbound.auth.oauth2
org.wso2.carbon.identity.user.registration.stub, org.wso2.carbon.identity.mgt.stub, org.wso2.carbon.user.mgt.stub all should have org.wso2.carbon.identity.framework
org.wso2.carbon.um.ws.api.stub should have org.wso2.carbon.identity.user.ws

How to access CXF jars from Wildfly (Jboss) for ws endpoints

I've tried to deploy my war file in Wildfly 8.2. My application uses org.apache.cxf for web service. But Wildfly (Jboss) comes by default with its own cxf jars which can be provide full Java EE support. I could eliminate jboss cxf and utilise my own cxf jars for web services by
jboss-deployment-structure.xml
<jboss-deployment-structure>
<deployment>
<exclude-subsystems>
<subsystem name="webservices" />
</exclude-subsystems>
</deployment>
</jboss-deployment-structure>
But it'll disable ws support by jboss which means I can't even find ws endpoints in Jboss admin console. But my client needs to utilise jboss's build in ws features so that he can disable or enable any ws calls at any time. Does anyone know on how to configure my application to utilise jboss's cxf jars so that I can tune my ws in Jboss admin console at any time. The following link explains exactly the same which I've mentioned so far. I'm successfull with the first option, but I need it to work with second option.
http://cxf.apache.org/docs/application-server-specific-configuration-guide.html
Note: See the first topic ( JBoss Application Server )
I can't seem to figure out how I can configure my application to utilise jboss's cxf jars..!
If I remove all the org.apache.cxf dependencies from my build.gradle file, it give ClassNotFoundException error which infact tells me that it can find the cxf-transport jar.
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: org.apache.cxf.transport.servlet.CXFServlet
If I include org.apache.cxf dependenices in build.gradle file, it shows that it's conflicting with the cxf jar which is also present in Jboss. The whole problem is I need to utilise the cxf which is present in jboss for full Java EE support by eliminating the user defined cxf jars.
This is probably overlap with some other dependency what implies different version.
I had the same situation and had to test and remove all un-nesesery ones from org.apache.cxf, especially deprecated ones like:
cxf-rt-rs-extension-providers,
cxf-distribution-manifest,
cxf-bundle-jaxrs and
cxf-rt-frontend-jaxrs.
It is important for keeping compatibility to use ${cxf.version} for all
org.apache.cxf, especialy for later versions and check the dependency hierarchy if other dependencies are bringing in older cxf libraries.

Using jaxws causes Provider weblogic.webservice.core.soap.MessageFactoryImpl not found

We have created a websevice client using the jaxws-maven-plugin and validated that the WAR file works in our test environment. However, upon moving the same WAR file to production it now produces this error:
Caused by: javax.xml.soap.SOAPException: Unable to create message factory for SOAP:
Provider weblogic.webservice.core.soap.MessageFactoryImpl not found
at javax.xml.soap.MessageFactory.newInstance(MessageFactory.java:116)
Has anyone seen this and how was it resolved?
NOTE: We are deploying to a Glassfish server in both the TEST and PRODUCTION environments.
hmm seems like a simple cp setup issue - can you check/post the classpath on both of these environments? also check to see what is set for the javax.xml.soap.MessageFactor parameter in GF

A WebService annotation is not present on class: java.net.URL

i generated a webservice client in netbeans(jdk1.6) and target client to jdk1.5.03. Then i moved all libs to jdk1.5 classpath and when i run WS Client, i got: java.lang.ExceptionInInitializerErrorCaused by: A WebService annotation is not present on class: java.net.URL i generated it with wsimport.
Any suggestions?
I'm guessng that you probably either need to run JRE 1.6 on your target client, or set the target version to JDK 1.5 in NetBeans.
However, take a look at this link for other potential issues:
http://forum.springsource.org/showthread.php?71220-Consuming-web-services