Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-253

org.apache.xml.security.utils.resolver.ResourceResolver is not thread safe


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Java 1.4.4
    • Fix Version/s: Java 1.4.5
    • Component/s: Java
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
    • Environment:
      Irrelevant - the bug is fully portable.


      Here are additional details, but hopefully the title is enough.

      My library is using xmlsec to sign and verify xml signatures. Sometimes I get the following exception when invoking DOMXMLSignature.sign():

      javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.
      resolver.ResourceResolverException: Could not find a resolver for URI #SAMLblahblah and Base null

      which is caused by an exception thrown in ResourceResolver.getInstance(Attr uri, String BaseURI) (last line).
      This is clearly a bug as ResolverFragment is a correct resolver for the reported URI (and my implementation is working 99,x% of time).

      I'm pretty sure that cause is in the aforementioned method getInstance(). ResourceResolver maintains a static Vector which is modified at runtime. During initialization (it is a bug but from practical PoV not that severe) and unfortunately also in getInstance() method, what is a problem. When two threads call it the vector might be permuted by first thread when the latter is iterating over it.

      Please notice that it can't be fixed in any code using your library as the method is public and static and also called many times from xmlsec itself. Even if I synchronized each and every call to xmlsec API (forgetting for a moment about terrible performance loss) I'd have no guarantee that other code in my final app won't use your library directly.


        1. santuario-253.patch
          2 kB
          Colm O hEigeartaigh

          Issue Links



              • Assignee:
                coheigea Colm O hEigeartaigh
                golbi Krzysztof Benedyczak
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: