santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raul Benito" <r...@apache.org>
Subject Re: XML security seems to be not thread safe...Please Help
Date Thu, 06 Jul 2006 10:04:35 GMT
If you mean by stable no known bugs then it is stable.
If you mean real world testing then I don't known. Remember that 1.3
was mark stable with the bug you got. And it goes with several betas &
rc.

You can see the changelog at the end.

But the main changes are thread related, I'm not expecting real
problems. But testing in different machines and load will stress the
code.

The changelog states:
New in v...
	Fixed bug 38668: Add XMLCipher.encryptData method that takes
			 serialized data as parameter (mullan)
	Fixed bug 39273: JSR 105 DOMCryptoContext.setIdAttributeNS not working
			 when validating signatures (mullan)
	Fixed bug 38405: ElementProxy.length() is not working (Java) (mullan)
	Fixed bug 37708: Different behaviour with NodeSet and RootNode with
			 InclusiveNamespaces (mullan)
	Fixed bug 37456: Signing throws an exception if custom resource
			 resolver is registered (mullan)
        Fixed bug 38655
	Fixed bug 38444.
	Fixed bug 38605.
	Fixed bug 39200
		Refactored the way keyresolver works instead of calling
canResolve/resolveX only resolveX is used
		and if it returns null it means it cannot resolve.
	Minor Optimizations.
		Lazy fields initialization, initialize with null and create the
object only when needed
		Registered Class reorder, in several parts the library contains a
list of workers
			that are asked if it can solve a problem. Now the one that said yes
is move to the front
			wishing that the next time it also hits.
	API Change: Make Transform & TransformSpi reusable between threads.	
		remove setTransform(Transform t) method in TransformSpi and pass
		the Transform object in enginePerformTransfor methods.
	Fixed bug 39685: bugs reported by findbugs (mullan)
	Added support for SHA256 & SHA512 DigestMethods to JSR 105. (mullan)
	Fix JSR 105 unmarshaling bug: now recognizes PGPData. (mullan)
	Optimization to not create instances of Signature or MessageDigest
objects, but mantain one for thread.
		Also don't change the key if it was already used. (raul)


On 7/6/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> OK I will try this version and give you a feedback.... One question
> about this version. It is a beta0 version and I would like to no if it
> is stable because I have to use it in productive system.
>
> Regards. Yvan
>
> -----Original Message-----
> From: raul.benito.garcia@gmail.com [mailto:raul.benito.garcia@gmail.com]
> On Behalf Of Raul Benito
> Sent: mercredi, 5. juillet 2006 18:19
> To: security-dev@xml.apache.org
> Subject: Re: XML security seems to be not thread safe...Please Help
>
> Hi Hess,
> You have be hit by the infamous 38605 bug.
> http://issues.apache.org/bugzilla/show_bug.cgi?id=38605
>
> You can obtain a beta of the new 1.4 release that will fix this problem
> here:
> http://xml.apache.org/security/dist/java-library/xmlsec-1.4.Beta0.jar
>
> And you can help debugging the next version, so it does not happen the
> same problem again.
>
> Regards
>
> On 7/5/06, Hess Yvan <Yvan.Hess@imtf.ch> wrote:
> >
> >
> >
> > It seems that XML Apache security (Version 1.3) is not thread safe.
> > Here what I am doing and the errors encountered:
> >
> >
> >
> > I sign XML documents using XML apache security and just after a
> > document has been signed it is verified (signature verification) using
>
> > XML apache security. One thread treats one XML document after another.
> >
> >
> >
> > I have two kinds of errors that appear randomly:
> >
> >
> >
> > 1) I got a null pointer from XML Apache security
> >
> >
> >
> > Message: null
> > Class: java.lang.NullPointerException
> > Stack trace:
> > java.lang.NullPointerException
> >  at
> > org.apache.xml.security.keys.keyresolver.implementations.X509Certifica
> > teResolver.engineResolveX509Certificate(Unknown
> > Source)
> >  at
> > org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certif
> > icate(Unknown
> > Source)
> >  at
> > org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResol
> > vers(Unknown
> > Source)
> >  at
> > org.apache.xml.security.keys.KeyInfo.getX509Certificate(Unknown
> > Source)
> >  at
> > com.imtf.atlas.sphinx2.xmlsig.Verifier.verify(Verifier.java:646)
> >
> >
> >
> > 2) The verification failed saying that the XML document is not
> > valid/corrupted  (not the hash but the signature itself according the
> > Apache log).
> >
> >
> >
> > If I run the same test in a single environment (all documents are
> > treated by only on thread), I never got an error.
> >
> >
> >
> > Can somebody help me to resolve the problem? It is critical problem
> > because our application failed and we have to work in a multi-thread
> environment.
> >
> >
> >
> > Thanks for your answer. Yvan Hess
> >
> >
> >
> > Yvan Hess
> >
> > Chief software architect
> >
> > http://www.imtf.com
> >
> >
>
>
> --
> http://r-bg.com
>


-- 
http://r-bg.com

Mime
View raw message