Opensaml Classpath issues

[Jürgen Weber]

We have a Spring Boot application using opensaml (pulled in by
spring-ws-security:jar:2.4.0). This works as standalone Spring Boot App,
but not in a web container like Tomcat.

I found out, that this is a classpath order problem. Spring boot has a well
defined classpath defined bei pom dependencies, whereas the jar order in
WEB-INF/lib is rather random (really it is defined by java.io.File.list()).

Actually, our application works on Tomcat/Linux, if I put a hyphen at the
start of the filename of xmltooling-1.3.2-1.jar

Looks like -xmltooling-1.3.2-1.jar goes before opensaml-core-3.1.1.jar in
the webapp classpath.

Both jars contain a schema-config.xml which is loaded by
Class.getResourceAsStream, so whichever is first in the classpath gets
loaded first.

Unfortunately, they contain different definitions, e.g.

<ObjectProvider qualifiedName="xs:anyType">

<BuilderClass className="org.opensaml.xml.schema.impl.XSAnyBuilder" />

and
<ObjectProvider qualifiedName="xs:anyType">
 <BuilderClass className="org.opensaml.core.xml.schema.impl.XSAnyBuilder"/>

If the wrong one (opensaml-core-3.1.1.jar) is picked first, this results in
a nasty ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyBuilder
cannot be cast to org.opensaml.xml.XMLObjectBuilder

One solution that should work, is building a fat ueber-jar containing all
opensaml jars, by unzipping all jars into a folder (in reverse pom
classpath order) and re-jaring it.

Is there a less drastic way to solve the problem?

Thanks,
Juergen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180326/3c5d0cc5/attachment.html>