Hey,

I have a problem with the security of a WebService I designed:

I run an application server (Sun Java System Application Server Platform 
Edition 8.1_01) that runs a few Web Services who have access to 
Enterprise Java Beans. On the same machine Sun's Java WebService 
Development Pack 1.6 is installed (because the wscompile tool included 
with the AppServer didn't support the -security option).

A standalone javaclient (for testing purposes also running on the same 
machine) accesses this webservices using static stubs, created by 
wscompile. All this works great, till I turn on the -security option of 
wscompile. Everything still compiles, yet at the first message my client 
tries to send at the server a SecurityException is generated:

java.lang.SecurityException: sealing violation: can't seal the package 
com.sun.xml.wss: allready loaded.

This package is inluded in xws-security.jar and indeed this jar file 
does exist twice on my system (once with the appserver and once with the 
JWSDP), but the classpath always points to the first one (I think). I'm 
rather sure that the two jar files are the same version.

I allready tried deleting one of the jars and I tried turning the 
'sealed' statement false for both... without result.

Has anyone an idea how to solve this? This application should be secure 
by the end of this week and I've ran out of ideas.

Thanks in advance,

Thomas

T. wrote:
> Hey,
> 
> I have a problem with the security of a WebService I designed:
> 
> I run an application server (Sun Java System Application Server Platform 
> Edition 8.1_01) that runs a few Web Services who have access to 
> Enterprise Java Beans. On the same machine Sun's Java WebService 
> Development Pack 1.6 is installed (because the wscompile tool included 
> with the AppServer didn't support the -security option).
> 
> A standalone javaclient (for testing purposes also running on the same 
> machine) accesses this webservices using static stubs, created by 
> wscompile. All this works great, till I turn on the -security option of 
> wscompile. Everything still compiles, yet at the first message my client 
> tries to send at the server a SecurityException is generated:
> 
> java.lang.SecurityException: sealing violation: can't seal the package 
> com.sun.xml.wss: allready loaded.
> 

For the interested: after hours of research I've found the answer and 
now it seams ridiculously simple:

When some jars are loaded more than once, they can give a sealing 
violation. I had a classpath for wscompile (appserver classpath), one 
for javac (libs + my build dir) and one for java (libs, build dir and 
some jars for look and feel).
The sealing violation now is avoided by each time just using the 
appserver classpath and extending it with the appopriate jars, instead 
of creating a new classpath for each purpose. This way each jar is 
loaded just once and the packages can be sealed.

Problem solved,

T.