Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[metro-dev] Issue in metro webservices-rt - Nullpointer in failing WS security header check
  • From: "Mikko Nurmi (Nokia)" <mikko.nurmi@xxxxxxxxx>
  • Date: Fri, 2 Feb 2024 10:45:18 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X2l8r+0XtYO+qnjMezdTcB1h44Gf/dR3AMhSXFFezdA=; b=Jdlq1BLXbSvm9Lpy7pXcLmp5b8U/um2Cxt35e4HhuwjxcJOvQ4N4Lbt24fiLubGMC9EZNBZjnla0eEFN452IgWMFEAS/PAHt5mU8UR/VXngpvNlX3BtxL/jiyn9LBrp6gDeC0xOiiqdxAcsAmLznJbtZq4ol/GlkyT2wyZJbjVH7pL1mdG/4yCQHG/FaiatclesBPDA9JRf1f2OeqVhXMWTuDcF128XDN4DXosVkF92dKQ4dUYc8GvYO+W7trVa4eUcqOKLj5ZOwCJrXjIwgE8e9/1KIZTaXMcyOykAGtneVfWH9MiU441xSG43fTGg0Wt/bHOmOMPI8199hW5yMoQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=gUPOH8tMHMaqWC5EZXZdErl3Yqi4CG03q/EcmmiZtUn5RY3qoJELiO7rcpnuwlC10fL2c8PNOZjurE7soUTkT2yvl28KFoZqGdxr0WvMjXLTJY3t2yeNuNF7yuw7g7ZF3WTeVlbLfGqvQcxpXngQVTn36e+d8fQbiKtLI9Kz64Jzy8Rx+cHPWDzqz9U6kHR9VoifZZt2XPHBOHKfCdSnTWqNV/bg4E4QLNOen5lmgE4ZliMEvEfH606YuEgSpEVgiQpe/0ThFJYexr1Wo+XZnY7qmEMFP0gZM7a3uKlAQt6aTyG/lPmjxO4BpYXJ0obTRi4dyysiSUS8Ei9e6W53WA==
  • Delivered-to: metro-dev@xxxxxxxxxxx
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Thread-index: AdpVwVPN6gFOsf1+S0KaXMkrO0hNbA==
  • Thread-topic: Issue in metro webservices-rt - Nullpointer in failing WS security header check



I just recently subscribed to this mailing list, so hoping this is the correct place to post such questions.


We have just updated to using Metro webservices 2.4.10. There seems to be an issue when sending WS security header with for example false password. Any other issue with the security header seems to behave in the same way. In the application logs this seems to be correctly handled initially, but on the client side we receive a NullPointerException as a response:

<S:Envelope xmlns:S=>


    <S:Fault xmlns:ns4=>





        <S:Text xml:lang="en">Cannot invoke "" because "policy" is null</S:Text>






In the application logs this is shown correctly:

SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Authentication of Username Password Token Failed
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest( 


Cases where security header is valid are working and also this error case used to produce a proper error to the client in the older versions. I have made some analysis myself and this seems to boil down to class ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/jaxws/impl/ where nullity of policy variable is not correctly checked in method initializeOutgoingProcessingContext:


            if (policy != null) {



            if (isTrustMessage(packet)) {



            // set the policy, issued-token-map, and extraneous properties


            if (isSCMessage || policy.getAlgorithmSuite() != null) {

                //override the binding level suite


            } else {




Is there a change to have this checked and fixed in upcoming versions? I didn’t find any way for reporting this issue.



Mikko Nurmi


Back to the top