[
https://issues.apache.org/jira/browse/RAMPART-337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Erik Ostermueller updated RAMPART-337:
--------------------------------------
Attachment: RAMPART-337.zip
We've run into this issue also with axis 1.4 and rampart 1.6. This eventually
fills up the entire heap, leading to crash.
The following link looks like the same problem.
http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/201003.mbox/%[email protected]%3E
I've attached RAMPART-337.zip to this JIRA.
This contains our configuration files:
RAMPART-337_client.axis2.xml
RAMPART-337_ClientServicePolicy.xml
..and a patch to work around the problem (RAMPART-337_work-around-patch.zip)
The patch is working for us, but it is not very attractive.
If we have 10 concurrent threads executing, then all 10 are scanning
SimpleTokenStore for expired Tokens. Seems more efficient to have a single
background worker thread doing this.
There is a second "ugly" issue in the patch:
When we first coded the patch, we deleted all EXPIRED tokens, but only when the
count reach a certain threshold (to lower overhead).
When we deleted all tokens, we got this exception:
org.apache.axis2.AxisFault: The signature or decryption was invalid
(Unsupported key identification)
The full stack trace is at the end of this comment.
To fix this, we only deleted the oldest of the EXPIRED tokens.
Interestingly enough, we got this same exception with the following 1-line
version of the patch, which we had to abandon b/c it throws an exception:
{code}
org/apache/rampart/TokenCallbackHandler.java
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
String id = pc.getIdentifer();
if((pc.getUsage() == WSPasswordCallback.SECURITY_CONTEXT_TOKEN ||
pc.getUsage() == WSPasswordCallback.CUSTOM_TOKEN) &&
this.store != null) {
Token tok;
try {
//Pick up the token from the token store
tok = this.store.getToken(id);
if(tok != null) {
//Get the secret and set it in the callback object
pc.setKey(tok.getSecret());
pc.setCustomToken((Element)tok.getToken());
tokenIdentifier = tok.getId();
//
#########################################################################
// #### Adding the above line
to rampart 1.6 _looks_ like it will fix RAMPART-337.
// #### Unfortunately, it
causes the following error.
// ####
// #### ERROR - The signature
or decryption was invalid (Unsupported key identification)
// ####
org.apache.axis2.AxisFault: The signature or decryption was invalid
(Unsupported key identification)
// #### at
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
// #### at
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
// ####
//
#########################################################################
{code}
Here is the full stack trace for the exception:
{code}
ERROR - The signature or decryption was invalid (Unsupported key identification)
org.apache.axis2.AxisFault: The signature or decryption was invalid
(Unsupported key identification)
at
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at
cardpartnerapi.edo.services.DashboardAPIProxy_v1_1Stub.getAcceptedPrewards(DashboardAPIProxy_v1_1Stub.java:2752)
at
com.fnis.ally.dashboard.DashBoardServicesAction.processgetAcceptedPrewards(Unknown
Source)
at
com.sanchez.manager.DebitCardRewardServices.getOfferring_AcceptedPrewards(Unknown
Source)
at com.sanchez.form.DebitCardRewardsForm.getOffers(Unknown Source)
at
com.sanchez.manager.DebitCardRewardServices.getOfferring_AcceptedPrewards(Unknown
Source)
at com.sanchez.form.DebitCardRewardsForm.getOffers(Unknown Source)
at com.sanchez.controller.DebitCardRewardsAction.unspecified(Unknown Source)
at
org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:256)
at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:194)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at com.sanchez.base.SecureRequestProcessor.handleActionPerform(Unknown Source)
at com.sanchez.base.SecureRequestProcessor.processActionPerform(Unknown Source)
at com.fnis.ally.auth.SiteMinderRequestProcessor.processActionPerform(Unknown
Source)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.sanchez.base.URLSessionIdScrubber.doFilter(Unknown Source)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.sanchez.base.LoggerFilter.doFilter(Unknown Source)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid (Unsupported key identification)
at
org.apache.ws.security.processor.ReferenceListProcessor.getKeyFromSecurityTokenReference(ReferenceListProcessor.java:332)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:160)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:111)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:74)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:150)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 44 more
{code}
> Possible memory leak in the STS implmentation due to the exisitng mechanism
> of storing tokens.
> ----------------------------------------------------------------------------------------------
>
> Key: RAMPART-337
> URL: https://issues.apache.org/jira/browse/RAMPART-337
> Project: Rampart
> Issue Type: Improvement
> Reporter: Hasini Gunasinghe
> Attachments: RAMPART-337.zip
>
>
> In the current implementation issued tokens are stored in a TokenStore and
> retiring tokens from the token store is not taken into consideration which
> can lead to an out of memory situation after sometime.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
