santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Werner Dittmann <Werner.Dittm...@t-online.de>
Subject Re: circumventBug2650 - Memory footprint
Date Thu, 22 Sep 2005 19:23:11 GMT
Sean,

we try to keep up with the leading edge of the xml-sec (1.2.96).
However, once upon a time it was necessary to return a node set AFAIK.

Regards,
Werner

Sean Mullan wrote:
> What version of XMLSec are you using?
> 
> Also, don't return an XPath node-set of all the nodes of the element's
> subtree. By doing this, you will not take advantage of the optimizations
> in the XMLSec library when canonicalizing subtrees and it could also be
> the reason you need to invoke circumventBug2650 (Raul will probably know
> for sure). Instead return an XMLSignatureInput(element) and let the
> XMLSec library handle the rest.
> 
> --Sean
> 
> Werner Dittmann wrote:
> 
>> Raul,
>>
>> in WSS4J we do Signatures. During the Id resolver we call the circumvent
>> method. AFAIK we do not use XPath to select the nodes to sign, just id
>> references. After locating the element to sign the resolver constructs
>> a node set of all nodes to sign. This node set of course includes
>> all nodes (elements, attributes, text, ...).
>>
>> However, when I disable the call of the circumvent method I
>> get probelms in signature verification. Thus IMHO it is not so easy just
>> to switch off the circumvent method.
>> Thus if we don't use the circumvent method: is it possible that we do
>> not get all required namespace attributes when build the node set?
>>
>> Regards,
>> Werner
>>
>> Raul Benito wrote:
>>
>>> Don't use any xpath transformation. Select what you want to sign with:
>>>
>>> <Reference URI="#whatToSign">..</Reference>
>>> <NodeToBeSigned id="whatToSign">..</NodeToBeSigned>
>>>
>>> In this way , the circumventBug2650 is not called(and other several
>>> optimizations hit). And you can sign bigger documents.
>>>
>>> Using xpath transformation is always one order the magnitude slower.
>>>
>>> You can see some speed considerations form page 12, in this
>>> presentation:
>>> http://r-bg.com/images/SecuringXMLDocuments.pdf
>>>
>>> Regards,
>>>
>>> Raul
>>>
>>> On 9/21/05, John Lanier <xmlsecure@yahoo.com> wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> The circumventBug2650 function in XMLUtils takes up a
>>>> significant amount of memory in adding Attributes to
>>>> each node. Is there any effort underway to rewrite
>>>> this in a more memory-friendly way?
>>>>
>>>> I am unable to sign XML documents larger than about
>>>> 10MB using the current (1.2.x) code base. (Pentium
>>>> III, 500MB Java heap size).
>>>>
>>>> Any pointers from anybody who worked around this bug
>>>> or managed to sign larger XML docs?
>>>>
>>>> Thanks
>>>> ~john
>>>>
>>>>
>>>>
>>>>
>>>> __________________________________
>>>> Yahoo! Mail - PC Magazine Editors' Choice 2005
>>>> http://mail.yahoo.com
>>>>
>>>
>>>
>>>
>>> -- 
>>> http://r-bg.com
>>>
>>
>>
> 
> 


Mime
View raw message