Catalin Enache created CXF-8070:
-----------------------------------
Summary: CXF error while signing an attachment over 2GB size
Key: CXF-8070
URL: https://issues.apache.org/jira/browse/CXF-8070
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 3.2.6
Reporter: Catalin Enache
Hello,
We are using Apache CXF 3.2.6 and WSS4J 2.2.2 as WS-Security implementation in
our project in order to sign, encrypt and send SOAP messages.
The current implementation is 'SOAP with Attachments/MIME parts' and we cannot
switch to MTOM.
1. We have tried to sign, encrypt and send an attachment larger than 2 GB but
we received the following error:
{noformat}
2019-06-27 16:30:59,322 [] [default]
[[email protected]] ERROR
e.d.e.s.UserMessageSender:162 - Error sending message
[[email protected]]
java.lang.OutOfMemoryError: Required array size too large
at java.io.BufferedInputStream.fill(BufferedInputStream.java:227)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at java.io.FilterInputStream.read(FilterInputStream.java:107)
at
org.apache.xml.security.stax.ext.XMLSecurityUtils.copy(XMLSecurityUtils.java:463)
at
org.apache.xml.security.stax.impl.transformer.TransformIdentity.transform(TransformIdentity.java:184)
at
org.apache.wss4j.stax.impl.transformer.AttachmentContentSignatureTransform.transform(AttachmentContentSignatureTransform.java:110)
at
org.apache.wss4j.stax.impl.processor.output.WSSSignatureOutputProcessor.digestExternalReference(WSSSignatureOutputProcessor.java:211)
at
org.apache.xml.security.stax.impl.processor.output.AbstractSignatureOutputProcessor.doFinalInternal(AbstractSignatureOutputProcessor.java:82)
at
org.apache.wss4j.stax.impl.processor.output.WSSSignatureOutputProcessor.processEvent(WSSSignatureOutputProcessor.java:138)
at
org.apache.xml.security.stax.ext.AbstractOutputProcessor.processNextEvent(AbstractOutputProcessor.java:133)
at
org.apache.xml.security.stax.impl.OutputProcessorChainImpl.processEvent(OutputProcessorChainImpl.java:212)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.chainProcessEvent(XMLSecurityStreamWriter.java:62)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.outputOpenStartElement(XMLSecurityStreamWriter.java:83)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.writeEndElement(XMLSecurityStreamWriter.java:164)
at org.apache.cxf.staxutils.StaxUtils.copy(StaxUtils.java:762)
at org.apache.cxf.staxutils.StaxUtils.copy(StaxUtils.java:722)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:214)
at
org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:537)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:446)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:361)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:354)
at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:322)
at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:241)
at eu.domibus.ebms3.sender.MSHDispatcher.dispatch(MSHDispatcher.java:61)
at
eu.domibus.ebms3.sender.MSHDispatcher$$FastClassBySpringCGLIB$$105974a1.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
at
eu.domibus.ebms3.sender.MSHDispatcher$$EnhancerBySpringCGLIB$$d1cb6add.dispatch(<generated>)
at
eu.domibus.ebms3.sender.AbstractUserMessageSender.sendMessage(AbstractUserMessageSender.java:140)
at
eu.domibus.ebms3.sender.AbstractUserMessageSender$$FastClassBySpringCGLIB$$9b7953e7.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:84)
at
eu.domibus.common.metrics.MetricsAspect.surroundWithATimer(MetricsAspect.java:38)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:627)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:616)
at
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
at
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:84)
at
eu.domibus.common.metrics.MetricsAspect.surroundWithACounter(MetricsAspect.java:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:627)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:616)
at
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
{noformat}
2. Modifying an existing JUnit from WSS4J sources
(org.apache.wss4j.stax.test.AttachmentTest) to sign an attachment over 2GB we
are getting quite the same error:
{noformat}
Connected to the target VM, address: '127.0.0.1:10317', transport: 'socket'
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:3332)
at
java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:448)
at java.lang.StringBuilder.append(StringBuilder.java:136)
at
org.apache.xml.security.stax.impl.util.DigestOutputStream.write(DigestOutputStream.java:64)
at
org.apache.wss4j.common.util.CRLFOutputStream.write(CRLFOutputStream.java:71)
at
org.apache.xml.security.stax.ext.XMLSecurityUtils.copy(XMLSecurityUtils.java:475)
at
org.apache.xml.security.stax.impl.transformer.TransformIdentity.transform(TransformIdentity.java:179)
at
org.apache.wss4j.stax.impl.transformer.AttachmentContentSignatureTransform.transform(AttachmentContentSignatureTransform.java:108)
at
org.apache.wss4j.stax.impl.transformer.AttachmentCompleteSignatureTransform.transform(AttachmentCompleteSignatureTransform.java:51)
at
org.apache.wss4j.stax.impl.processor.output.WSSSignatureOutputProcessor.digestExternalReference(WSSSignatureOutputProcessor.java:212)
at
org.apache.xml.security.stax.impl.processor.output.AbstractSignatureOutputProcessor.doFinalInternal(AbstractSignatureOutputProcessor.java:95)
at
org.apache.wss4j.stax.impl.processor.output.WSSSignatureOutputProcessor.processEvent(WSSSignatureOutputProcessor.java:139)
at
org.apache.xml.security.stax.ext.AbstractOutputProcessor.processNextEvent(AbstractOutputProcessor.java:133)
at
org.apache.xml.security.stax.impl.OutputProcessorChainImpl.processEvent(OutputProcessorChainImpl.java:217)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.chainProcessEvent(XMLSecurityStreamWriter.java:62)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.outputOpenStartElement(XMLSecurityStreamWriter.java:83)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamWriter.writeCharacters(XMLSecurityStreamWriter.java:302)
at
org.apache.wss4j.stax.test.utils.XmlReaderToWriter.write(XmlReaderToWriter.java:88)
at
org.apache.wss4j.stax.test.utils.XmlReaderToWriter.writeAll(XmlReaderToWriter.java:36)
at
org.apache.wss4j.stax.test.AttachmentTest.testMultipleAttachmentCompleteSignature_Catalin(AttachmentTest.java:474)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:628)
at
org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:117)
at
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$7(TestMethodTestDescriptor.java:184)
at
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor$$Lambda$208/651802632.execute(Unknown
Source)
at
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
at
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:180)
at
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:127)
{noformat}
3. Then checking the source code, we saw that there is a hardcoded limitation
to 2GB:
WSSSignatureOutputProcessor class from wss4j-ws-security-stax.jar which is used
for sign the attachments has a hardcoded limit of 2GB to accept:
line 198:
{code:java}
DigestOutputStream digestOutputStream =
createMessageDigestOutputStream(signaturePartDef.getDigestAlgo());
InputStream inputStream = attachment.getSourceStream();
if (!inputStream.markSupported()) {
inputStream = new BufferedInputStream(inputStream);
}
inputStream.mark(Integer.MAX_VALUE); //we can process at
maximum 2G with the standard jdk streams
{code}
Question is: there is a fix/solution in order to send more than 2GB for a
single attachment?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
