You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2011/04/20 11:44:06 UTC

[jira] [Resolved] (SANTUARIO-253) org.apache.xml.security.utils.resolver.ResourceResolver is not thread safe

     [ https://issues.apache.org/jira/browse/SANTUARIO-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved SANTUARIO-253.
-------------------------------------------

    Resolution: Fixed

> org.apache.xml.security.utils.resolver.ResourceResolver is not thread safe
> --------------------------------------------------------------------------
>
>                 Key: SANTUARIO-253
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-253
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 1.4.4
>         Environment: Irrelevant - the bug is fully portable.
>            Reporter: Krzysztof Benedyczak
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>             Fix For: Java 1.4.5
>
>         Attachments: santuario-253.patch
>
>
> Here are additional details, but hopefully the title is enough.
> My library is using xmlsec to sign and verify xml signatures. Sometimes I get the following exception when invoking DOMXMLSignature.sign():
> javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.
> resolver.ResourceResolverException: Could not find a resolver for URI #SAMLblahblah and Base null
> which is caused by an exception thrown in ResourceResolver.getInstance(Attr uri, String BaseURI) (last line).
> This is clearly a bug as ResolverFragment is a correct resolver for the reported URI (and my implementation is working 99,x% of time).
> I'm pretty sure that cause is in the aforementioned method getInstance(). ResourceResolver maintains a static Vector which is modified at runtime. During initialization (it is a bug but from practical PoV not that severe) and unfortunately also in getInstance() method, what is a problem. When two threads call it the vector might be permuted by first thread when the latter is iterating over it.
> Please notice that it can't be fixed in any code using your library as the method is public and static and also called many times from xmlsec itself. Even if I synchronized each and every call to xmlsec API (forgetting for a moment about terrible performance loss) I'd have no guarantee that other code in my final app won't use your library directly.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira