Quarkus-rest-jaxb deserializing XML content will result in deserialisation ambiguity

[mmiccoli]

Describe the bug

I'm trying to migrate the Quarkus resteasy dependencies to rest (reactive).
My app needs accept SOAP server calls and perform SOAP client calls.
The SOAP payload contains security headers, for that reason I need this library: quarkus-cxf-rt-ws-security

I'm currently facing an XML deserialization issue

Now I have the following dependencies:

<dependencies>

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-rest</artifactId>
            <version>3.15.1</version>
        </dependency>
       
        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-rest-jackson</artifactId>
            <version>3.15.1</version>
        </dependency>

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-rest-jaxb</artifactId>
            <version>3.15.1</version>
        </dependency>

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-rest-client-jaxb</artifactId>
            <version>3.15.1</version>
        </dependency>

        <dependency>
            <groupId>io.quarkiverse.cxf</groupId>
            <artifactId>quarkus-cxf</artifactId>
            <version>3.15.2</version>
        </dependency>

        <dependency>
            <groupId>io.quarkiverse.cxf</groupId>
            <artifactId>quarkus-cxf-rt-ws-security</artifactId>
            <version>3.15.2</version>
        </dependency>

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-rest-client</artifactId>
            <version>3.15.1</version>
        </dependency>

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-rest-client-jackson</artifactId>
            <version>3.15.1</version>
        </dependency>
...
</dependencies>

Expected behavior

The incoming SOAP messages should be deserialized.

Actual behavior

At runtime when the app tries to deserialize an XML content it will throw those exceptions below, they seem related to the security headers.

2024-11-21 11:00:17,571 WARN  [com.xxx.gro.ao.mp.xx.res.exc.GeneralExceptionMapper] (executor-thread-1) org.glassfish.jaxb.runtime.v2.runtime.IllegalAnnotationsException: 74 counts of IllegalAnnotationExceptions
Two classes have the same XML type name "{http://www.w3.org/2000/09/xmldsig#}ObjectType". Use @XmlType.name and @XmlType.namespace to assign different names to them.
	this problem is related to the following location:
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectType
		at public jakarta.xml.bind.JAXBElement org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectFactory.createObject(org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectType)
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectFactory
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformType.content
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformType
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformsType.transform
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformsType
		at protected org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformsType org.apache.cxf.ws.security.sts.provider.model.xmldsig.RetrievalMethodType.transforms
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.RetrievalMethodType
	this problem is related to the following location:
		at org.apache.xml.security.binding.xmldsig.ObjectType
		at public jakarta.xml.bind.JAXBElement org.apache.xml.security.binding.xmldsig.ObjectFactory.createObject(org.apache.xml.security.binding.xmldsig.ObjectType)
		at org.apache.xml.security.binding.xmldsig.ObjectFactory
		at protected java.util.List org.apache.xml.security.binding.xmldsig.X509DataType.x509IssuerSerialOrX509SKIOrX509SubjectName
		at org.apache.xml.security.binding.xmldsig.X509DataType
The element name {http://www.w3.org/2000/09/xmldsig#}Object has more than one mapping.
	this problem is related to the following location:
		at public jakarta.xml.bind.JAXBElement org.apache.xml.security.binding.xmldsig.ObjectFactory.createObject(org.apache.xml.security.binding.xmldsig.ObjectType)
		at org.apache.xml.security.binding.xmldsig.ObjectFactory
		at protected java.util.List org.apache.xml.security.binding.xmldsig.X509DataType.x509IssuerSerialOrX509SKIOrX509SubjectName
		at org.apache.xml.security.binding.xmldsig.X509DataType
	this problem is related to the following location:
		at public jakarta.xml.bind.JAXBElement org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectFactory.createObject(org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectType)
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.ObjectFactory
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformType.content
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformType
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformsType.transform
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformsType
		at protected org.apache.cxf.ws.security.sts.provider.model.xmldsig.TransformsType org.apache.cxf.ws.security.sts.provider.model.xmldsig.RetrievalMethodType.transforms
		at org.apache.cxf.ws.security.sts.provider.model.xmldsig.RetrievalMethodType`


The element name {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Expires has more than one mapping.
	this problem is related to the following location:
		at public jakarta.xml.bind.JAXBElement org.apache.wss4j.binding.wsu10.ObjectFactory.createExpires(org.apache.wss4j.binding.wsu10.AttributedDateTime)
		at org.apache.wss4j.binding.wsu10.ObjectFactory
	this problem is related to the following location:
		at public jakarta.xml.bind.JAXBElement org.apache.cxf.ws.security.sts.provider.model.utility.ObjectFactory.createExpires(org.apache.cxf.ws.security.sts.provider.model.utility.AttributedDateTime)
		at org.apache.cxf.ws.security.sts.provider.model.utility.ObjectFactory
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.utility.TimestampType.any
		at org.apache.cxf.ws.security.sts.provider.model.utility.TimestampType
Two classes have the same XML type name "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}AttributedURI". Use @XmlType.name and @XmlType.namespace to assign different names to them.
	this problem is related to the following location:
		at org.apache.cxf.ws.security.sts.provider.model.utility.AttributedURI
		at public org.apache.cxf.ws.security.sts.provider.model.utility.AttributedURI org.apache.cxf.ws.security.sts.provider.model.utility.ObjectFactory.createAttributedURI()
		at org.apache.cxf.ws.security.sts.provider.model.utility.ObjectFactory
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.utility.TimestampType.any
		at org.apache.cxf.ws.security.sts.provider.model.utility.TimestampType
	this problem is related to the following location:
		at org.apache.wss4j.binding.wsu10.AttributedURI
		at public org.apache.wss4j.binding.wsu10.AttributedURI org.apache.wss4j.binding.wsu10.ObjectFactory.createAttributedURI()
		at org.apache.wss4j.binding.wsu10.ObjectFactory

Two classes have the same XML type name "{http://www.w3.org/2005/08/addressing}EndpointReferenceType". Use @XmlType.name and @XmlType.namespace to assign different names to them.
	this problem is related to the following location:
		at org.apache.cxf.ws.addressing.EndpointReferenceType
		at public jakarta.xml.bind.JAXBElement org.apache.cxf.ws.security.sts.provider.model.ObjectFactory.createIssuer(org.apache.cxf.ws.addressing.EndpointReferenceType)
		at org.apache.cxf.ws.security.sts.provider.model.ObjectFactory
		at protected java.util.List org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType.any
		at org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType
	this problem is related to the following location:
		at jakarta.xml.ws.wsaddressing.W3CEndpointReference

	at org.glassfish.jaxb.runtime.v2.runtime.IllegalAnnotationsException$Builder.check(IllegalAnnotationsException.java:83)
	at org.glassfish.jaxb.runtime.v2.runtime.JAXBContextImpl.getTypeInfoSet(JAXBContextImpl.java:421)
	at org.glassfish.jaxb.runtime.v2.runtime.JAXBContextImpl.<init>(JAXBContextImpl.java:255)
	at org.glassfish.jaxb.runtime.v2.runtime.JAXBContextImpl$JAXBContextBuilder.build(JAXBContextImpl.java:1115)
	at org.glassfish.jaxb.runtime.v2.ContextFactory.createContext(ContextFactory.java:144)
	at org.glassfish.jaxb.runtime.v2.JAXBContextFactory.createContext(JAXBContextFactory.java:44)
	at jakarta.xml.bind.ContextFinder.find(ContextFinder.java:373)
	at jakarta.xml.bind.JAXBContext.newInstance(JAXBContext.java:605)
	at io.quarkus.jaxb.runtime.JaxbContextProducer.createJAXBContext(JaxbContextProducer.java:80)
	... 25 more

How to Reproduce?

Reproducer:

• Add the dependencies described above to your Quarkus application.
• Build a SOAP endpoint
• Call this SOAP
  endpoint

Output of uname -a or ver

No response

Output of java -version

21

Quarkus version or git rev

3.15

Build tool (ie. output of mvnw --version or gradlew --version)

3.9.2 (Maven)

Additional information

No response

[quarkus-bot]

/cc @gsmet (jaxb)

[geoand]

I wonder if @ppalaga has any insights on this one

[ppalaga]

@mmiccoli thanks for the detailed report. This is a known problem in case you use Quarkus CXF in combination with quarkus-rest-jaxb and you inject the default JAXBContext somewhere in your app. There is some additional info in #31646

To mitigate the issue you may need one or more of the following:

• Decide whether you need the default JAXBContext that suffers from this issue because it automatically includes all classes with JAXB annotations. A custom JAXBContext with small well defined set of classes included would perhaps work better for you?
• Exclude one or both (if you do not need them) classes of the conflicting pair from the default JAXBContext using quarkus.jaxb.exclude-classes - see https://quarkus.io/guides/rest#xml-serialisation
• If you are absolutely sure that you won't serialize/deserialize any of the conflicting classes in your JAXBContext, you may disable the validation altogether though quarkus.jaxb.validate-jaxb-context=false. This might be risky and I would not recommend this option.