Me again...
I just had a look inside WSSecurityEngine.java (in 1.1) and it doesn't
seem like there's any threading issues if all the SOAP message has is a
signature, that is, no encryption of any kind. My application only does
signatures. The condition:
} else if (el.equals(ENCRYPTED_KEY)) {
is never true. That's where handleEncryptedKey() is called.
Am I safe then? Or are there other possible issues that I missed?
Thanks,
Ever
-----Original Message-----
From: Olano, Ever [mailto:[EMAIL PROTECTED]
Sent: Friday, February 03, 2006 2:02 PM
To: [email protected]
Subject: RE: [jira] Commented: (WSS-24) Thread safety in WSDoAllReceiver
using WSSecEngine
k... just looked at the stack trace... and processSecurityHeader() is
there.
Now, my question is, does this issue apply to all calls to
processSecurityHeader() or only to certain scenarios?
-----Original Message-----
From: Olano, Ever [mailto:[EMAIL PROTECTED]
Sent: Friday, February 03, 2006 1:58 PM
To: Werner Dittmann (JIRA); [email protected]
Subject: RE: [jira] Commented: (WSS-24) Thread safety in WSDoAllReceiver
using WSSecEngine
Hi, Werner or anyone. I am using 1.1 and have the following code:
WSSecurityEngine engine = WSSecurityEngine.getInstance();
Vector results = engine.processSecurityHeader( indoc, (String) null,
null, crypto );
Is there also a threading issue with calling processSecurityHeader() on
the same instance of WSSecurityEngine? I hope not. Otherwise (besides
upgrading), is the solution to just create a new WSSecurityEngine each
time? Would that be expensive?
Thanks,
Ever
-----Original Message-----
From: Werner Dittmann (JIRA) [mailto:[EMAIL PROTECTED]
Sent: Friday, February 03, 2006 12:02 PM
To: [email protected]
Subject: [jira] Commented: (WSS-24) Thread safety in WSDoAllReceiver
using WSSecEngine
[
http://issues.apache.org/jira/browse/WSS-24?page=comments#action_1236511
7 ]
Werner Dittmann commented on WSS-24:
------------------------------------
Thread safety on WSSecurityEngine is a known problem in WSS4J 1.0 and
1.1. This problem
is solved in the current WSS4J SVN head.
> Thread safety in WSDoAllReceiver using WSSecEngine
> --------------------------------------------------
>
> Key: WSS-24
> URL: http://issues.apache.org/jira/browse/WSS-24
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.4.2_06, 2 CPU, 2GHz
> Reporter: Samrat Ketu
> Assignee: Davanum Srinivas
>
> We have a multi-threaded program that uses Axis and WSS4J to send
encrypted messages to a web service and decrypts the contents as they
are received.
> We intermittently face the below exception - like 10 out of 5000
requests. Typical number of threads running are 10, pumping 10 messages
per second. As you can see, the problem is happening while decrypting
the response.
> I was looking into the source code of WSS4J and realized that it could
be because of
> a. the way session/symmetric key is stored in WSSecEngine
(decryptedBytes variable is used to store the session key and it is
declared at the class level)
> b. the fact that reference to WSSecEngine is actually a static final
variable in WSHandler (which is extended ultimately by WSDoAllReceiver)
> Apparently, all instances of WSDoAllReceiver use the same instance of
WSSecEngine to do encryption and decryption. And within WSSecEngine, the
symmetric key is a global variable, so different method invocations to
decrypt data will overwrite each other's symmetric key.
> Exception is
> org.apache.ws.security.WSSecurityException: Error Class:
org.apache.ws.security.WSSecurityException
> Cannot encrypt/decrypt data; nested exception is:
> org.apache.xml.security.encryption.XMLEncryptionException: pad
block corrupted
> Original Exception was javax.crypto.BadPaddingException: pad
block corrupted
> org.apache.ws.security.WSSecurityException: Cannot
encrypt/decrypt data; nested exception is:
> org.apache.xml.security.encryption.XMLEncryptionException:
pad block corrupted
> Original Exception was javax.crypto.BadPaddingException: pad block
corrupted
> at
org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine.
java:1226)
> at org.apache.ws.security.WSSecurityEngine.handleEncryptedKey
(WSSecurityEngine.java:1171)
> at
org.apache.ws.security.WSSecurityEngine.handleEncryptedKey(WSSecurityEng
ine.java:926)
> at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java :349)
> at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity
Engine.java:245)
> at
org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java:
156)
> at org.apache.axis.strategies.InvocationStrategy.visit
(InvocationStrategy.java:32)
> at
org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> at org.apache.axis.client.AxisClient.invoke
(AxisClient.java:190)
> at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
> at org.apache.axis.client.Call.invoke(Call.java:2748)
> at org.apache.axis.client.Call.invoke(Call.java:2424)
> at org.apache.axis.client.Call.invoke(Call.java:2347)
> at org.apache.axis.client.Call.invoke(Call.java:1804)
> ....
> ....
> Caused by:
org.apache.xml.security.encryption.XMLEncryptionException : pad block
corrupted
> Original Exception was javax.crypto.BadPaddingException: pad
block corrupted
> at
org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown
Source)
> at org.apache.xml.security.encryption.XMLCipher.decryptElement
(Unknown Source)
> at
org.apache.xml.security.encryption.XMLCipher.decryptElementContent(Unkno
wn Source)
> at
org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source)
> at org.apache.ws.security.WSSecurityEngine.decryptDataRef
(WSSecurityEngine.java:1224)
> ... 17 more
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
