WS-Security concurrency issue with CXF 2.2.12 + WSS4J 1.5.10

Wed, 01 Jun 2011 01:52:58 -0700 

Hi,
we're running some WS-Security load tests with Apache CXF 2.2.12 + WSS4J 1.5.10 and might have found a concurrency issue. 
We're getting the following exception:

[runTest(bash)] OUT>  Caused by: java.util.ConcurrentModificationException
[runTest(bash)] OUT>         at 
java.util.AbstractList$Itr.checkForComodification(AbstractList.java:372)
[runTest(bash)] OUT>         at 
java.util.AbstractList$Itr.next(AbstractList.java:343)
[runTest(bash)] OUT>         at 
org.apache.ws.security.WSDocInfo.getSecurityTokenReference(WSDocInfo.java:86)
[runTest(bash)] OUT>         at 
org.apache.ws.security.message.EnvelopeIdResolver.engineResolve(EnvelopeIdResolver.java:114)
[runTest(bash)] OUT>         at 
org.apache.xml.security.utils.resolver.ResourceResolver.resolve(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Unknown
 Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.Reference.dereferenceURIandPerformTransforms(Unknown
 Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.Reference.calculateDigest(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.Reference.verify(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.Manifest.verifyReferences(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.SignedInfo.verify(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown Source)
[runTest(bash)] OUT>         at 
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:470)
[runTest(bash)] OUT>         at 
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:114)
[runTest(bash)] OUT>         at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
[runTest(bash)] OUT>         at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
[runTest(bash)] OUT>         at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:208)
[runTest(bash)] OUT>         at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:78)
[runTest(bash)] OUT>         at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
[runTest(bash)] OUT>         at 
org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:755)
[runTest(bash)] OUT>         at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2408)
[runTest(bash)] OUT>         at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2278)
[runTest(bash)] OUT>         at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2121)
[runTest(bash)] OUT>         at 
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
[runTest(bash)] OUT>         at 
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:695)
[runTest(bash)] OUT>         at 
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
[runTest(bash)] OUT>         at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
[runTest(bash)] OUT>         at 
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
[runTest(bash)] OUT>         at 
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
[runTest(bash)] OUT>         at 
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
[runTest(bash)] OUT>         at 
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[runTest(bash)] OUT>         at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
[runTest(bash)] OUT>         ... 9 more
Interestingly, forcing the use of WSS4J 1.5.8 instead (we discovered this by accident ;-) ) the problem goes away. The application basically builds up a JAXWS client using WS-Security (Sign only) through programmatically configured WSS4J interceptors: http://fpaste.org/pYHM/ Once the proxy is ready on client side, it's called concurrently using multiple threads (performIteration() method in the code). Does the problem/exception above ring any bell? I'm going to investigate this a bit more in any case. 
Thanks
Alessio

--
Alessio Soldano
Web Service Lead, JBoss

Reply via email to