Pitfalls of open source
Here's what you get for writing the only open source Web Services Security Implementation...Moral of the story, don't write open source code, apparently this is an easy task...and if you do in spite of my advice (oh man! you are in trouble), you need to make sure there is enough documentation that is up-to-date and *BE SURE* to answer *ALL* emails. If you don't then here is what's gonna happen to you.
Shaz,
Remember the NullPointerException I asked you about (the one
you posted on wss4j mailing list but nobody answered you)? I had sent a request
for help to the authors of WSS4J (copied here in this email), but no one of
them had the courtesy of answering back, not even to say something like “Don’t
know”, or “Don’t have time to investigate”. That was
very disappointing and shows a lack of professionalism. I am involved in
tens of projects plus my involvement in developing Standard Specifications (at JCP,
Oasis, etc…), and I did not have time to investigate that bug. If I had
more time, I would have re-written a WSS implementation from scratch by myself.
Anyway, the bug was the result of very poor documentation. The
person who listed the sample code at the end of the article http://ws.apache.org/ws-fx/wss4j/api.html
forgot to mention that you need to call the method setUserInfo() on the encrypt
and signer objects before trying to sign and/or encrypt a message. Having the
Crypto object loaded from a crypto file in which you have specified the key
alias and key password is not enough. You need to read these values (key alias
and key password) from the crypto file and assign them to the signer and ecrypt
object prior to signing/encrypting. Also, make sure you use the latest version
of xmlsec (use this version xmlsec-1.2.1.jar) because previous version of
xmlsec had a previous bug.
Regards,
Hamid.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Exception:
- Using Crypto Engine
[org.apache.ws.security.components.crypto.Merlin]
java.lang.NullPointerException
at
com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineGetCertificateChain (Unknown
Source)
at
java.security.KeyStore.getCertificateChain(Unknown Source)
at
org.apache.ws.security.components.crypto.Merlin.getCertificates(Merlin.java:469)
at
org.apache.ws.security.message.WSSignEnvelope.build(WSSignEnvelope.java:249)
Comments
I think the fault comes from developers not being anonymous in the OSS world.
Having just wasted the entire day dealing with word crashing out on me, I would love to send the entire team a page full of abuse. As it is, I can't, as I dont know the dev teams email address.
Posted by: Steve Loughran | May 20, 2005 05:07 PM
Hi davs,
I agree that the author of the email spoke very lightly about writing his own implementation if he had the time. Heh, we all know the difference between using a spec implementation, and _writing_ a spec implementation.
I know that you're usually prompt in answering to posts. I'm only wondering at the language that Hamid may have used when asking his questions on the wss4J mailing list.
Incidentally, I'd faced similar experiences years ago when I'd started to embed Tomcat into a Swing app. This was Tomcat 4.0.1 being written by Craig and NOT many developers were really familiar with its internals. I myself was a Java newbie.
Though I didn't get responses from the developers ever, I did not write them off as being rude.
I've seen your posts on Harmony, Geronimo, and even on TC-dev. Please keep up the good work.
-- Sriram
Posted by: Sriram N | May 21, 2005 12:06 AM
Hi. I can share this experience with you. I had a question about ActiveMQ over HTTP and no developer gave me a hint. I posted my question into the ActiveMQ newsgroup, TSS and regular newsgroup. No answer. Disappointing. BTW: The ActiveMQ docu is horrific ...
Christian
Posted by: Christian | May 21, 2005 02:34 AM
Just for clarification, this is the original mail Hamind sent to my company E-mail account. No other receiver was given:
Hi Werner,
I am trying to use WSS4J API to programmatically encrypt and/or sign SOAP messages (as explained at the end of the article http://ws.apache.org/ws-fx/wss4j/api.html). I get the following exception:
Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
java.lang.NullPointerException
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineGetCertificateChain (Unknown Source)
at java.security.KeyStore.getCertificateChain(Unknown Source)
at org.apache.ws.security.components.crypto.Merlin.getCertificates(Merlin.java:469)
at org.apache.ws.security.message.WSSignEnvelope.build(WSSignEnvelope.java:249)
My certificates are self-signed and are in a pkcs12 keystore. It seems that the code breaks when trying to load the keystore as if it tries to located the root certificate or CA certificate… (this is my guess only).
Please help.
Thanks,
Hamid.
-- Werner
Posted by: Werner | May 23, 2005 02:16 AM