1

I have a web services app developed using CXF 2.7.13. When I deploy on my local Tomcat instance, everything works, but when switching to a glassfish 4 instance, I get the following exception:

java.lang.RuntimeException: Cannot create a secure XMLInputFactory
    at org.apache.cxf.staxutils.StaxUtils.createXMLInputFactory(StaxUtils.java:315)
    at org.apache.cxf.staxutils.StaxUtils.getXMLInputFactory(StaxUtils.java:265)
    at org.apache.cxf.staxutils.StaxUtils.createXMLStreamReader(StaxUtils.java:1701)
    at org.apache.cxf.interceptor.StaxInInterceptor.handleMessage(StaxInInterceptor.java:123)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
    at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:318)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
    at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
    at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
    at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
    at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
    at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
    at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
    at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
    at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
    at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
    at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
    at java.lang.Thread.run(Thread.java:722)]]

From what I've read, it seems Woodstox api (woodstox-core-asl.jar) dependency from CXF is conflicting with glassfish's own version of the library. CXF uses Woodstox 4.4.1 while my glassfish 4 instance, I've checked, uses 4.1.2.

So my first attempt was to try and exclude CXF's dependency and declare my own Woodstox 4.1.2 dependency on my POM in order for everyone to use the same version. But this didn't solve the problem.

I also tried straight up removing this dependency from my POM and checked it's not included in the WAR before deploying, also to no avail (same exception).

I've only managed to deploy on glassfish by removing the .jar from the modules dir of the server, but this is somehting I cannot do on my production servers, by requirement.

Is there anything else I can try?

M Rajoy
  • 4,028
  • 14
  • 54
  • 111

3 Answers3

2

It was so easy and I am ashamed I've spent 5 hours trying to solve with maven while it was on the official documentation page (http://cxf.apache.org/docs/application-server-specific-configuration-guide.html):

CXF Interceptors will not work in Glassfish without this sun-web.xml file to configure the classloader. By default, Glassfish will use Metro for JAX-WS services so the classloader needs to be configured to allow CXF libraries to provide JAX-WS services. The following sun-web.xml xml source was added to /WEB-INF to resolve this issue:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-web-app PUBLIC
'-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet
 2.5//EN' 'http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd>
 <sun-web-app> <class-loader delegate="false"/> </sun-web-app>
M Rajoy
  • 4,028
  • 14
  • 54
  • 111
2

i was facing the same issue but deploying it to web sphere, and after a research of few hours figured out the exact version for woodstox, i.e. below

<dependency>
    <groupId>org.codehaus.woodstox</groupId>
    <artifactId>woodstox-core-asl</artifactId>
    <version>4.2.0</version>
</dependency>

This https://bugs.eclipse.org/bugs/show_bug.cgi?id=409070 link also helped to figured it out.

Aamir
  • 655
  • 1
  • 8
  • 27
1

Please prefer to implement kelmers answer to not open security holes!

Depending on the security requirements of your application you could use the org.apache.cxf.stax.allowInsecureParser option.

From the documentation

There is a "org.apache.cxf.stax.allowInsecureParser" System Property that can be set to true to allow using an insecure parser, but that is HIGHLY not recommended

But I think you are better of consulting the glassfish documentation on how to override/exclude system libs for specific deployments.

Community
  • 1
  • 1
SpaceTrucker
  • 13,377
  • 6
  • 60
  • 99