You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/04/20 11:44:06 UTC
[jira] [Resolved] (SANTUARIO-253)
org.apache.xml.security.utils.resolver.ResourceResolver is not thread safe
[ https://issues.apache.org/jira/browse/SANTUARIO-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved SANTUARIO-253.
-------------------------------------------
Resolution: Fixed
> org.apache.xml.security.utils.resolver.ResourceResolver is not thread safe
> --------------------------------------------------------------------------
>
> Key: SANTUARIO-253
> URL: https://issues.apache.org/jira/browse/SANTUARIO-253
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 1.4.4
> Environment: Irrelevant - the bug is fully portable.
> Reporter: Krzysztof Benedyczak
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Fix For: Java 1.4.5
>
> Attachments: santuario-253.patch
>
>
> Here are additional details, but hopefully the title is enough.
> My library is using xmlsec to sign and verify xml signatures. Sometimes I get the following exception when invoking DOMXMLSignature.sign():
> javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.
> resolver.ResourceResolverException: Could not find a resolver for URI #SAMLblahblah and Base null
> which is caused by an exception thrown in ResourceResolver.getInstance(Attr uri, String BaseURI) (last line).
> This is clearly a bug as ResolverFragment is a correct resolver for the reported URI (and my implementation is working 99,x% of time).
> I'm pretty sure that cause is in the aforementioned method getInstance(). ResourceResolver maintains a static Vector which is modified at runtime. During initialization (it is a bug but from practical PoV not that severe) and unfortunately also in getInstance() method, what is a problem. When two threads call it the vector might be permuted by first thread when the latter is iterating over it.
> Please notice that it can't be fixed in any code using your library as the method is public and static and also called many times from xmlsec itself. Even if I synchronized each and every call to xmlsec API (forgetting for a moment about terrible performance loss) I'd have no guarantee that other code in my final app won't use your library directly.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira