You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ji...@apache.org on 2004/03/21 20:06:58 UTC

[jira] Closed: (AXIS-1243) Usage of XML security (org.apache.xml.security.Init.init()) slows down the performance of Axis Call.invoke

Message:

   The following issue has been closed.

   Resolver: Davanum Srinivas
       Date: Sun, 21 Mar 2004 11:05 AM

This is a xml-security problem. Please follow up with them.
---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/secure/ViewIssue.jspa?key=AXIS-1243

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: AXIS-1243
    Summary: Usage of XML security (org.apache.xml.security.Init.init()) slows down the performance of Axis Call.invoke
       Type: Bug

     Status: Closed
   Priority: Major
 Resolution: WON'T FIX

    Project: Axis
   Versions:
             1.1

   Assignee: 
   Reporter: Ayyappan Gandhirajan

    Created: Sun, 29 Feb 2004 11:27 PM
    Updated: Sun, 21 Mar 2004 11:05 AM
Environment: Windows 2000, Java 1.4, Weblogic 8.1, Axis 1.1, XML security 1.0.5

Description:
Basically, I am trying to use Axis and XML security for securing my webservices. XML security is being used to verify the certificate, which was sent by the client. After succesfull verification, AXIS will be used to invoke a particular webservice. I have no problem in getting the above things working. My concern is the PERFORMANCE for multiple clients. After authentication is done, Call.invoke of Axis takes more time than it actually takes. The difference is around 5 times. This seems to be a very critical bug. This happend while running multiple clients.

The code snippet for certificate verification is given below:

The handler side
----------------
	static boolean securityInitialized = false;
	public boolean authenticate(String userId, Document requestXMLDoc, X509Certificate userCertFromDB) throws Exception{
		//Init
		if(!securityInitialized){
			Init.init();
			securityInitialized = true;
		}

		//Extract XML signature
		System.out.println("[AuthenticationHandler::authenticate] Finding XML Signature element in the SOAP XML...");
		Element nsctx = requestXMLDoc.createElementNS(null, "nsctx");
		nsctx.setAttributeNS(Constants.NamespaceSpecNS, "xmlns:ds", Constants.SignatureSpecNS);

		CachedXPathAPI xpath = new CachedXPathAPI();
		Element xmlSigElm = null;

		try{
			xmlSigElm = (Element) xpath.selectSingleNode(requestXMLDoc, "//ds:Signature", nsctx);
		}catch(Exception ex){
			System.out.println("[AuthenticationHandler::authenticate] Error while retrieving Dsig. Reason - "+ex.getMessage());
			throw ex;
		}

		if(xmlSigElm == null){
			throw new Exception("The input XML is not signed");
		}

		XMLSignature xmlSig = new XMLSignature(xmlSigElm, "http://tempuri.org");
		System.out.println("[AuthenticationHandler::authenticate] XML Signature's Base URI - "+xmlSig.getBaseURI());

		//Get certificate
		System.out.println("[AuthenticationHandler::authenticate] Retrieving certificate from XML signature...");
		KeyInfo keyInfo = xmlSig.getKeyInfo();
		X509Certificate userCertFromRequest = (X509Certificate)keyInfo.getX509Certificate();

		boolean isAuthenticated = false;
		System.out.println("[AuthenticationHandler::authenticate] Starting certificate verification...");
		if(userCertFromRequest.equals(userCertFromDB)){
			System.out.println("[AuthenticationHandler::authenticate] Checking singature value...");
			isAuthenticated = xmlSig.checkSignatureValue(userCertFromRequest.getPublicKey());
		}else{
			throw new Exception("Invalid user accessing service");
		}

		return isAuthenticated;
	}


The back end component side
-----------------------------
		Call call = new Call("http://localhost:7001/axis/services/YellowPage");
		Object[] values = new Object[]{new Integer(number)};
		System.out.println("[AuthenticationHandler::invoke] Invoking...");
		Object result = call.invoke("", "getName",  values);
		System.out.println("[AuthenticationHandler::invoke] Result is - "+result);



---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira