Re: circumventBug2650 - Memory footprint

Thu, 22 Sep 2005 12:10:57 -0700 

What version of XMLSec are you using?
Also, don't return an XPath node-set of all the nodes of the element's subtree. By doing this, you will not take advantage of the optimizations in the XMLSec library when canonicalizing subtrees and it could also be the reason you need to invoke circumventBug2650 (Raul will probably know for sure). Instead return an XMLSignatureInput(element) and let the XMLSec library handle the rest. 

--Sean

Werner Dittmann wrote:

Raul,

in WSS4J we do Signatures. During the Id resolver we call the circumvent
method. AFAIK we do not use XPath to select the nodes to sign, just id
references. After locating the element to sign the resolver constructs
a node set of all nodes to sign. This node set of course includes
all nodes (elements, attributes, text, ...).

However, when I disable the call of the circumvent method I
get probelms in signature verification. Thus IMHO it is not so easy just
to switch off the circumvent method.
Thus if we don't use the circumvent method: is it possible that we do
not get all required namespace attributes when build the node set?

Regards,
Werner

Raul Benito wrote:


Don't use any xpath transformation. Select what you want to sign with:

<Reference URI="#whatToSign">..</Reference>
<NodeToBeSigned id="whatToSign">..</NodeToBeSigned>

In this way , the circumventBug2650 is not called(and other several
optimizations hit). And you can sign bigger documents.

Using xpath transformation is always one order the magnitude slower.

You can see some speed considerations form page 12, in this presentation:
http://r-bg.com/images/SecuringXMLDocuments.pdf

Regards,

Raul

On 9/21/05, John Lanier <[EMAIL PROTECTED]> wrote:



Hi,

The circumventBug2650 function in XMLUtils takes up a
significant amount of memory in adding Attributes to
each node. Is there any effort underway to rewrite
this in a more memory-friendly way?

I am unable to sign XML documents larger than about
10MB using the current (1.2.x) code base. (Pentium
III, 500MB Java heap size).

Any pointers from anybody who worked around this bug
or managed to sign larger XML docs?

Thanks
~john




__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com





--
http://r-bg.com




























					Reply via email to