[prev in list] [next in list] [prev in thread] [next in thread]
List: xml-security-dev
Subject: RE: XML security seems to be not thread safe...Please Help
From: "Hess Yvan" <Yvan.Hess () imtf ! ch>
Date: 2006-07-07 8:59:21
Message-ID: 487CFB40212D29498A776BD39F714D84B95D60 () srvexch ! IMTF ! LOCAL
[Download RAW message or body]
My question was more in the sense ot know if this new version is a bug
fixing version or a refactoring version.
I tested your new jars in the following context:
1) Standalone Junit test classes for XML encryption and signature
(single thread).
2) Multi-thread application test using XML encryption and signature:
The two test results were OK including backward compatibility and
multi-threading access.
Thanks for your help. Regards Yvan Hess
PS: Do you have a roadmap for the publication of this new version ?
-----Original Message-----
From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com]
On Behalf Of Raul Benito
Sent: jeudi, 6. juillet 2006 12:05
To: security-dev@xml.apache.org
Subject: Re: XML security seems to be not thread safe...Please Help
If you mean by stable no known bugs then it is stable.
If you mean real world testing then I don't known. Remember that 1.3 was
mark stable with the bug you got. And it goes with several betas & rc.
You can see the changelog at the end.
But the main changes are thread related, I'm not expecting real
problems. But testing in different machines and load will stress the
code.
The changelog states:
New in v...
Fixed bug 38668: Add XMLCipher.encryptData method that takes
serialized data as parameter (mullan)
Fixed bug 39273: JSR 105 DOMCryptoContext.setIdAttributeNS not
working
when validating signatures (mullan)
Fixed bug 38405: ElementProxy.length() is not working (Java)
(mullan)
Fixed bug 37708: Different behaviour with NodeSet and RootNode
with
InclusiveNamespaces (mullan)
Fixed bug 37456: Signing throws an exception if custom resource
resolver is registered (mullan)
Fixed bug 38655
Fixed bug 38444.
Fixed bug 38605.
Fixed bug 39200
Refactored the way keyresolver works instead of calling
canResolve/resolveX only resolveX is used
and if it returns null it means it cannot resolve.
Minor Optimizations.
Lazy fields initialization, initialize with null and
create the object only when needed
Registered Class reorder, in several parts the library
contains a list of workers
that are asked if it can solve a problem. Now
the one that said yes is move to the front
wishing that the next time it also hits.
API Change: Make Transform & TransformSpi reusable between
threads.
remove setTransform(Transform t) method in TransformSpi
and pass
the Transform object in enginePerformTransfor methods.
Fixed bug 39685: bugs reported by findbugs (mullan)
Added support for SHA256 & SHA512 DigestMethods to JSR 105.
(mullan)
Fix JSR 105 unmarshaling bug: now recognizes PGPData. (mullan)
Optimization to not create instances of Signature or
MessageDigest objects, but mantain one for thread.
Also don't change the key if it was already used. (raul)
On 7/6/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> OK I will try this version and give you a feedback.... One question
> about this version. It is a beta0 version and I would like to no if it
> is stable because I have to use it in productive system.
>
> Regards. Yvan
>
> -----Original Message-----
> From: raul.benito.garcia@gmail.com
> [mailto:raul.benito.garcia@gmail.com]
> On Behalf Of Raul Benito
> Sent: mercredi, 5. juillet 2006 18:19
> To: security-dev@xml.apache.org
> Subject: Re: XML security seems to be not thread safe...Please Help
>
> Hi Hess,
> You have be hit by the infamous 38605 bug.
> http://issues.apache.org/bugzilla/show_bug.cgi?id=38605
>
> You can obtain a beta of the new 1.4 release that will fix this
> problem
> here:
> http://xml.apache.org/security/dist/java-library/xmlsec-1.4.Beta0.jar
>
> And you can help debugging the next version, so it does not happen the
> same problem again.
>
> Regards
>
> On 7/5/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> >
> >
> >
> > It seems that XML Apache security (Version 1.3) is not thread safe.
> > Here what I am doing and the errors encountered:
> >
> >
> >
> > I sign XML documents using XML apache security and just after a
> > document has been signed it is verified (signature verification)
> > using
>
> > XML apache security. One thread treats one XML document after
another.
> >
> >
> >
> > I have two kinds of errors that appear randomly:
> >
> >
> >
> > 1) I got a null pointer from XML Apache security
> >
> >
> >
> > Message: null
> > Class: java.lang.NullPointerException Stack trace:
> > java.lang.NullPointerException
> > at
> > org.apache.xml.security.keys.keyresolver.implementations.X509Certifi
> > ca teResolver.engineResolveX509Certificate(Unknown
> > Source)
> > at
> > org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Cert
> > if
> > icate(Unknown
> > Source)
> > at
> > org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticRes
> > ol
> > vers(Unknown
> > Source)
> > at
> > org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown
> > Source)
> > at
> > com.imtf.atlas.sphinx2.xmlsig.Verifier.verify(Verifier.java:646)
> >
> >
> >
> > 2) The verification failed saying that the XML document is not
> > valid/corrupted (not the hash but the signature itself according
> > the Apache log).
> >
> >
> >
> > If I run the same test in a single environment (all documents are
> > treated by only on thread), I never got an error.
> >
> >
> >
> > Can somebody help me to resolve the problem? It is critical problem
> > because our application failed and we have to work in a multi-thread
> environment.
> >
> >
> >
> > Thanks for your answer. Yvan Hess
> >
> >
> >
> > Yvan Hess
> >
> > Chief software architect
> >
> > http://www.imtf.com
> >
> >
>
>
> --
> http://r-bg.com
>
--
http://r-bg.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic