https://issues.apache.org/bugzilla/show_bug.cgi?id=44956
Summary: Concurrent creation of a XMLSignature instance produces
an ArrayIndexOutOfBoundsException
Product: Security
Version: unspecified
Platform: PC
OS/Version: All
Status: NEW
Severity: critical
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: [EMAIL PROTECTED]
We are having problems with an org.apache.xml.security.signature.XMLSignature
instance creation in a multi-threaded environment: sometimes an
ArrayIndexOutOfBoundsException is thrown:
java.lang.ArrayIndexOutOfBoundsException: 38
at java.util.ArrayList.add(Unknown Source)
at org.apache.xml.security.keys.KeyInfo.<init>(Unknown Source)
at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
...
The XMLSignature constructor being used is:
public XMLSignature(Element element, String BaseURI)
Looking further at the sources I found out that:
1. The KeyInfo constructor being invoked by the XMLSignature constructor must
be public KeyInfo(Element element, String BaseURI) (XMLSignature:297).
2. The exact line producing the exception must be _storageResolvers.add(null)
(KeyInfo:123).
3. Upon the creation, the _storageResolvers variable of *each* KeyInfo instance
holds a reference to the *single* static nullList variable (KeyInfo:1067).
Thus, adding null to that list effectively modifies the single shared ArrayList
instance, while concurrent access and structural modifications of an ArrayList
instance are not allowed.
4. The entire _storageResolvers.add(null) statement seems to be useless and
probably could be simply removed.
5. IMHO, such a strange invention :) as that nullList should be evaluated and
probably removed as well.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
