XMLSec 1.3.0, Java Wehn I invoke method KeyInfo.getX509Certificate(), X509CertificateResolver throws NullPointerException. This problem occures if application runs multithreaded. X509CertificateResolver object is shared among all the threads and is not synchronized. This was not the case in XMLSec 1.2.1, because there was allways a new X509CertificateResolver object created for every KeyInfo. OS: Windows XP Professional (32bit), SUSE Linux (64bit) JVM: 1.5.0_06
I cannot reproduce the error. Can you attach at testcase or even the Backtrace of the exception. Thanks.
This is the exception stack trace and a part of the code that runs on the exception. Note that the error occurs only if the web service is invoked from multiple threads. Please, let me know, whether this is sufficient. java.lang.NullPointerException at org.apache.xml.security.keys.keyresolver.implementations.X509CertificateResolve r.engineResolveX509Certificate(X509CertificateResolver.java:149) at org.apache.xml.security.keys.keyresolver.KeyResolver.resolveX509Certificate (KeyResolver.java:239) at org.apache.xml.security.keys.KeyInfo.getX509CertificateFromStaticResolvers (KeyInfo.java:900) at org.apache.xml.security.keys.KeyInfo.getX509Certificate (KeyInfo.java:859) at provgw.adapter.security.X509SecurityInterceptor.validateSignature (X509SecurityInterceptor.java:190) at provgw.adapter.security.X509CallbackSimSecurityInterceptor.invoke (X509CallbackSimSecurityInterceptor.java:89) at org.apache.axis.strategies.InvocationStrategy.visit (InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:239) at org.apache.axis.transport.http.AxisServlet.doPost (AxisServlet.java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at org.apache.axis.transport.http.AxisServletBase.service (AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke (StandardWrapperValve.java:214) at org.apache.catalina.core.StandardValveContext.invokeNext (StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal (StandardContextValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke (StandardContextValve.java:152) at org.apache.catalina.core.StandardValveContext.invokeNext (StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext (StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:118) at org.apache.catalina.core.StandardValveContext.invokeNext (StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext (StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke (ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service (CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process (Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnecti on(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt (PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (ThreadPool.java:683) at java.lang.Thread.run(Unknown Source) ----------- X509Certificate certificate; KeyInfo keyInfo = signature.getKeyInfo(); if (keyInfo != null) { if (keyInfo.containsX509Data()) { try { certificate = keyInfo.getX509Certificate(); } catch (KeyResolverException e) { return false; } if (certificate == null) { return false; } } }
Fixed in SVN head, Thanks for pointing the problem. It was true that engineCanResolve set status for the latter engineResolveX methods, and after making Resolvers singleton-like for all threads a race condition can arraise. I have fixed it merging this two methods in one the engineResolveX. Can you test the changes? Also I think this bug is important enought to do a 1.3.1 release. What do you think?
I have tested the bugfix and the code behaves correctly now. Yes, this bug is surely worth of new release. The 1.3.0 code of the X509CertificateResolver is not thread safe and therefore it cannot be trusted in multithreaded applications. Thanks for the fix.
Closing old bugs.