Details
-
Suggestion
-
Resolution: Fixed
Description
If the Trusted Application feature is not working and the following is seen
WARN [atlassian.seraph.filter.TrustedApplicationsFilter] Failed to login trusted application: confluence1234567 due to:
com.atlassian.security.auth.trustedapps.InvalidCertificateException: TestTrustedApplicationClient.id
cause: java.lang.SecurityException: JCE cannot authenticate the provider BC
This may be due to ClassLoader problems. We have seen this on Resin 2.x for example. To diagnose you can [turn on DEBUG logging|link] for the com.atlassian.seraph package to see the stack trace in the log. If the following is shown:
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC at javax.crypto.Cipher.getInstance(DashoA12275) at javax.crypto.Cipher.getInstance(DashoA12275) at com.atlassian.security.auth.trustedapps.BouncyCastleEncryptionProvider.decodeEncryptedCertificate(BouncyCastleEncryptionProvider.java:123) ... 29 more Caused by: java.util.jar.JarException: Class is on the bootclasspath at javax.crypto.SunJCE_d.a(DashoA12275) at javax.crypto.SunJCE_b.b(DashoA12275) at javax.crypto.SunJCE_b.a(DashoA12275) ... 32 more
and the bcprov jar is definitely not on the boot class path, the problem is caused by an errant ClassLoader that defines the class without providing a valid ProtectionDomain object. Essentially, security provider classes must be loaded using the correct ClassLoader method.
The solution is to add the Bouncy Castle security provider jar to the application server classpath. For Resin this means to add bcprov-jdk14-138.jar to the server/lib directory.