Hi, Werner or anyone. I am using 1.1 and have the following code: WSSecurityEngine engine = WSSecurityEngine.getInstance(); Vector results = engine.processSecurityHeader( indoc, (String) null, null, crypto );
Is there also a threading issue with calling processSecurityHeader() on the same instance of WSSecurityEngine? I hope not. Otherwise (besides upgrading), is the solution to just create a new WSSecurityEngine each time? Would that be expensive? Thanks, Ever -----Original Message----- From: Werner Dittmann (JIRA) [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 12:02 PM To: [email protected] Subject: [jira] Commented: (WSS-24) Thread safety in WSDoAllReceiver using WSSecEngine [ http://issues.apache.org/jira/browse/WSS-24?page=comments#action_1236511 7 ] Werner Dittmann commented on WSS-24: ------------------------------------ Thread safety on WSSecurityEngine is a known problem in WSS4J 1.0 and 1.1. This problem is solved in the current WSS4J SVN head. > Thread safety in WSDoAllReceiver using WSSecEngine > -------------------------------------------------- > > Key: WSS-24 > URL: http://issues.apache.org/jira/browse/WSS-24 > Project: WSS4J > Type: Bug > Environment: Windows 2000, JDK 1.4.2_06, 2 CPU, 2GHz > Reporter: Samrat Ketu > Assignee: Davanum Srinivas > > We have a multi-threaded program that uses Axis and WSS4J to send encrypted messages to a web service and decrypts the contents as they are received. > We intermittently face the below exception - like 10 out of 5000 requests. Typical number of threads running are 10, pumping 10 messages per second. As you can see, the problem is happening while decrypting the response. > I was looking into the source code of WSS4J and realized that it could be because of > a. the way session/symmetric key is stored in WSSecEngine (decryptedBytes variable is used to store the session key and it is declared at the class level) > b. the fact that reference to WSSecEngine is actually a static final variable in WSHandler (which is extended ultimately by WSDoAllReceiver) > Apparently, all instances of WSDoAllReceiver use the same instance of WSSecEngine to do encryption and decryption. And within WSSecEngine, the symmetric key is a global variable, so different method invocations to decrypt data will overwrite each other's symmetric key. > Exception is > org.apache.ws.security.WSSecurityException: Error Class: org.apache.ws.security.WSSecurityException > Cannot encrypt/decrypt data; nested exception is: > org.apache.xml.security.encryption.XMLEncryptionException: pad block corrupted > Original Exception was javax.crypto.BadPaddingException: pad block corrupted > org.apache.ws.security.WSSecurityException: Cannot encrypt/decrypt data; nested exception is: > org.apache.xml.security.encryption.XMLEncryptionException: pad block corrupted > Original Exception was javax.crypto.BadPaddingException: pad block corrupted > at org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine. java:1226) > at org.apache.ws.security.WSSecurityEngine.handleEncryptedKey (WSSecurityEngine.java:1171) > at org.apache.ws.security.WSSecurityEngine.handleEncryptedKey(WSSecurityEng ine.java:926) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java :349) > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity Engine.java:245) > at org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java: 156) > at org.apache.axis.strategies.InvocationStrategy.visit (InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke (AxisClient.java:190) > at org.apache.axis.client.Call.invokeEngine(Call.java:2765) > at org.apache.axis.client.Call.invoke(Call.java:2748) > at org.apache.axis.client.Call.invoke(Call.java:2424) > at org.apache.axis.client.Call.invoke(Call.java:2347) > at org.apache.axis.client.Call.invoke(Call.java:1804) > .... > .... > Caused by: org.apache.xml.security.encryption.XMLEncryptionException : pad block corrupted > Original Exception was javax.crypto.BadPaddingException: pad block corrupted > at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown Source) > at org.apache.xml.security.encryption.XMLCipher.decryptElement (Unknown Source) > at org.apache.xml.security.encryption.XMLCipher.decryptElementContent(Unkno wn Source) > at org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source) > at org.apache.ws.security.WSSecurityEngine.decryptDataRef (WSSecurityEngine.java:1224) > ... 17 more -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
