In our application, we are trying to upgrade to Spring boot 2, We are using spring-security-saml2-core:1.0.4.RELEASE, while running application we are getting following exception. It seems, there are two jars xmltooling-1.4.6 and opensaml-core-3.3.0 on classpaath, who have same file default-config.xml. In this case a classloader happens to put opensaml-core-3.3.0 ahead of xmltooling-1.4.6.jar and wrong default-config.xml getting loaded

<ObjectProviders>
        <ObjectProvider qualifiedName="xt:DEFAULT">
        <BuilderClass className="org.opensaml.core.xml.schema.impl.XSAnyBuilder"/>
        <MarshallingClass className="org.opensaml.core.xml.schema.impl.XSAnyMarshaller"/>
        <UnmarshallingClass className="org.opensaml.core.xml.schema.impl.XSAnyUnmarshaller"/>
    </ObjectProvider>  </ObjectProviders> 

java.lang.ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyBuilder cannot be cast to org.opensaml.xml.XMLObjectBuilder
        at org.opensaml.xml.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:236)
        at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:182)
        at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:166)
        at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:143)
        at org.opensaml.DefaultBootstrap.initializeXMLTooling(DefaultBootstrap.java:203)
        at org.opensaml.DefaultBootstrap.initializeXMLTooling(DefaultBootstrap.java:186)
        at org.opensaml.DefaultBootstrap.bootstrap(DefaultBootstrap.java:92)
        at org.opensaml.PaosBootstrap.bootstrap(PaosBootstrap.java:27)
        at org.springframework.security.saml.SAMLBootstrap.postProcessBeanFactory(SAMLBootstrap.java:42).

Can somebody help here. Please..

Refer https://issues.shibboleth.net/jira/browse/OSJ-152

opensaml V2 version uses xmltooling.jar.

opensaml V3 version uses opensaml-soap-impl.jar which has different package name compared to xmltooling.jar

Example:

• opensaml-soap-impl.jar uses --> org.opensaml.core.xml.XMLObjectBuilder

• xmltooling.jar uses --> org.opensaml.xml.XMLObjectBuilder

Root causue: your classpath has both v2 and v3 versions of opensaml. This is reason for classcast exception.

Solution:

Ideally you don't need to have both versions of opensaml. it might happen accidentally due to maven dependency management. Remove one of them.

1. If your code base compatible with opensamlv2 version and if you don't want to upgrade, please exclude opesamlv3 jars as below.
2. Otherwise upgrade your codebase to compatible with v3 version and remove opensamlV2 related jars