Java 7u25, OpenAM, and "Cannot resolve element with ID"

Not too long ago, Oracle released Java 7 update 25, which is an important security update. Unfortunately, they made a change in XML that affects the parsing of ID attributes. This broke our SAML authenticator, OpenAM 10.1, and lots of other products that perform XML processing of ID's. We fixed our SAML authenticator by finding the attribute with the name of ID and then calling this piece of code.

element.setIdAttribute( "ID", true);

Note the "proper" way to do this is by adding a Schema to validate against. Unfortunately, doing this caused every authentication attempt to take about 15 seconds while all the schemas were fetched from the web. Yes, we could have pulled all the schemas local and made all the changes so they could be found locally but we are under a time crunch.

OpenAM and others have not fixed their products yet so the only alternative was to roll back Java to update 21. We run OpenAM on a 64-bit Ubuntu server using the OpenJDK. Here's what we did to rollback our OpenJDK to update 21 to get OpenAM working again.

  1. We used Firefox to go to http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-7/ and download the following files to a temp folder:
    • icedtea-7-jre-jamvm_7u21-2.3.9-1ubuntu1_amd64.deb
    • openjdk-7-jre-headless_7u21-2.3.9-1ubuntu1_amd64.deb
    • openjdk-7-jre-lib_7u21-2.3.9-1ubuntu1_all.deb
  2. Stopped our Tomcat 6 service with the following command:
    service tomcat6 stop
  3. Downgraded the OpenJDK by changing directory to the folder where we downloaded the 3 packages to and used this command:
    dpkg -i icedtea-7-jre-jamvm_7u21-2.3.9-1ubuntu1_amd64.deb openjdk-7-jre-headless_7u21-2.3.9-1ubuntu1_amd64.deb openjdk-7-jre-lib_7u21-2.3.9-1ubuntu1_all.deb
  4. Prevented APT from upgrading the packages again using the following commands:
    apt-mark hold icedtea-7-jre-jamvm
    apt-mark hold openjdk-7-jre-headless
    apt-mark hold openjdk-7-jre-lib
  5. Restarted our Tomcat 6 service with the following command:
    service tomcat6 start

Hopefully, this will help someone else save a little time.