The threading issue is a only when using encryption. Signature, Usernametoken handling is ok.
To get a fresh instance every time don't use "getInstance" do "new WSSecurityEngine()" and this is fast because the constructor does nothing. Regards, Werner Olano, Ever wrote: > Hi, Werner or anyone. I am using 1.1 and have the following code: > > WSSecurityEngine engine = WSSecurityEngine.getInstance(); > Vector results = engine.processSecurityHeader( indoc, (String) null, > null, crypto ); > > Is there also a threading issue with calling processSecurityHeader() on > the same instance of WSSecurityEngine? I hope not. Otherwise (besides > upgrading), is the solution to just create a new WSSecurityEngine each > time? Would that be expensive? > > Thanks, > Ever > > -----Original Message----- > From: Werner Dittmann (JIRA) [mailto:[EMAIL PROTECTED] > Sent: Friday, February 03, 2006 12:02 PM > To: [email protected] > Subject: [jira] Commented: (WSS-24) Thread safety in WSDoAllReceiver > using WSSecEngine > > [ > http://issues.apache.org/jira/browse/WSS-24?page=comments#action_1236511 > 7 ] > > Werner Dittmann commented on WSS-24: > ------------------------------------ > > Thread safety on WSSecurityEngine is a known problem in WSS4J 1.0 and > 1.1. This problem > is solved in the current WSS4J SVN head. > > >>Thread safety in WSDoAllReceiver using WSSecEngine >>-------------------------------------------------- >> >> Key: WSS-24 >> URL: http://issues.apache.org/jira/browse/WSS-24 >> Project: WSS4J >> Type: Bug >> Environment: Windows 2000, JDK 1.4.2_06, 2 CPU, 2GHz >> Reporter: Samrat Ketu >> Assignee: Davanum Srinivas > > >>We have a multi-threaded program that uses Axis and WSS4J to send > > encrypted messages to a web service and decrypts the contents as they > are received. > >>We intermittently face the below exception - like 10 out of 5000 > > requests. Typical number of threads running are 10, pumping 10 messages > per second. As you can see, the problem is happening while decrypting > the response. > >>I was looking into the source code of WSS4J and realized that it could > > be because of > >>a. the way session/symmetric key is stored in WSSecEngine > > (decryptedBytes variable is used to store the session key and it is > declared at the class level) > >>b. the fact that reference to WSSecEngine is actually a static final > > variable in WSHandler (which is extended ultimately by WSDoAllReceiver) > >>Apparently, all instances of WSDoAllReceiver use the same instance of > > WSSecEngine to do encryption and decryption. And within WSSecEngine, the > symmetric key is a global variable, so different method invocations to > decrypt data will overwrite each other's symmetric key. > >>Exception is >> org.apache.ws.security.WSSecurityException: Error Class: > > org.apache.ws.security.WSSecurityException > >> Cannot encrypt/decrypt data; nested exception is: >> org.apache.xml.security.encryption.XMLEncryptionException: pad > > block corrupted > >> Original Exception was javax.crypto.BadPaddingException: pad > > block corrupted > >> org.apache.ws.security.WSSecurityException: Cannot > > encrypt/decrypt data; nested exception is: > >> org.apache.xml.security.encryption.XMLEncryptionException: > > pad block corrupted > >> Original Exception was javax.crypto.BadPaddingException: pad block > > corrupted > >> at > > org.apache.ws.security.WSSecurityEngine.decryptDataRef(WSSecurityEngine. > java:1226) > >> at org.apache.ws.security.WSSecurityEngine.handleEncryptedKey > > (WSSecurityEngine.java:1171) > >> at > > org.apache.ws.security.WSSecurityEngine.handleEncryptedKey(WSSecurityEng > ine.java:926) > >> at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity > Engine.java :349) > >> at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurity > Engine.java:245) > >> at > > org.apache.ws.axis.security.WSDoAllReceiver.invoke(WSDoAllReceiver.java: > 156) > >> at org.apache.axis.strategies.InvocationStrategy.visit > > (InvocationStrategy.java:32) > >> at > > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >> at org.apache.axis.client.AxisClient.invoke > > (AxisClient.java:190) > >> at org.apache.axis.client.Call.invokeEngine(Call.java:2765) >> at org.apache.axis.client.Call.invoke(Call.java:2748) >> at org.apache.axis.client.Call.invoke(Call.java:2424) >> at org.apache.axis.client.Call.invoke(Call.java:2347) >> at org.apache.axis.client.Call.invoke(Call.java:1804) >> .... >> .... >> Caused by: > > org.apache.xml.security.encryption.XMLEncryptionException : pad block > corrupted > >> Original Exception was javax.crypto.BadPaddingException: pad > > block corrupted > >> at > > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown > Source) > >> at org.apache.xml.security.encryption.XMLCipher.decryptElement > > (Unknown Source) > >> at > > org.apache.xml.security.encryption.XMLCipher.decryptElementContent(Unkno > wn Source) > >> at > > org.apache.xml.security.encryption.XMLCipher.doFinal(Unknown Source) > >> at org.apache.ws.security.WSSecurityEngine.decryptDataRef > > (WSSecurityEngine.java:1224) > >> ... 17 more > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
