Implicit namespace declaration of <Signature/> causes XPathStylesheetDOM3Exception ---------------------------------------------------------------------------------- Key: WFLY-9075 URL: https://issues.jboss.org/browse/WFLY-9075 Project: WildFly Issue Type: Bug Affects Versions: 11.0.0.Beta1 Reporter: Jiri Ondrusek Assignee: Jiri Ondrusek A web service secured by WS-trust/SAML STS is deployed on EAP6.4.x. If the namespace of `<Signature/>` in an assersion in a webservice request is declared implicitly like: <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <CanonicalizationMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"... <SignatureMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" URI="#ID_57501112-83ce-41fe-828c-d538b13432e6"> it throws XPathStylesheetDOM3Exception as follows: 20:13:15,332 ERROR [org.picketlink.common] (http-/127.0.0.1:8080-2) Unexpected error: javax.xml.xpath.XPathExpressionException: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:295) at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.getX509Certificate(SAMLTokenCertValidatingCommonLoginModule.java:465) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1] at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.validateSAMLCredential(SAMLTokenCertValidatingCommonLoginModule.java:421) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1] at org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule.login(SAMLTokenCertValidatingCommonLoginModule.java:276) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_102] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_102] at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_102] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_102] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_102] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_102] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_102] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_102] at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_102] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:424) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:363) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:351) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:156) [picketbox-infinispan-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1] at org.picketlink.trust.jbossws.handler.AbstractWSAuthenticationHandler.handleInbound(AbstractWSAuthenticationHandler.java:83) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1] at org.picketlink.trust.jbossws.handler.AbstractPicketLinkTrustHandler.handleMessage(AbstractPicketLinkTrustHandler.java:259) [picketlink-jbas7-2.5.4.SP4-redhat-1.jar:2.5.4.SP4-redhat-1] at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.java:359) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.java:255) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvoker.java:132) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.jboss.wsf.stack.cxf.interceptor.HandlerAuthInterceptor$JBossWSHandlerChainInvoker.invokeProtocolHandlers(HandlerAuthInterceptor.java:114) at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandlerInterceptor.java:169) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:124) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:71) [cxf-rt-frontend-jaxws-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:97) at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:131) at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.14.redhat-1.jar:2.7.14.redhat-1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2] at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136) at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.3.1.Final-redhat-1.jar:2.3.1.Final-redhat-1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102] Caused by: org.apache.xpath.domapi.XPathStylesheetDOM3Exception: Prefix must resolve to a namespace: null at org.apache.xpath.compiler.XPathParser.errorForDOM3(XPathParser.java:655) at org.apache.xpath.compiler.Lexer.mapNSTokens(Lexer.java:647) at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:274) at org.apache.xpath.compiler.Lexer.tokenize(Lexer.java:98) at org.apache.xpath.compiler.XPathParser.initXPath(XPathParser.java:112) at org.apache.xpath.XPath.<init>(XPath.java:178) at org.apache.xpath.XPath.<init>(XPath.java:266) at org.apache.xpath.jaxp.XPathImpl.eval(XPathImpl.java:195) at org.apache.xpath.jaxp.XPathImpl.evaluate(XPathImpl.java:281) ... 52 more