dmatej commented on PR #184:
URL:
https://github.com/apache/santuario-xml-security-java/pull/184#issuecomment-1604575684
Hmmm. What if I have one thread which preconfigures the `providerName` for
some thread pool? Now they would get `null`. On the other hand you are right
that the class is not thread-safe at all, it is just a global unprotected
variable.
Javadoc says it is just a default and when I take a look on how it is used:
```
if (provider == null) {
String providerId = JCEMapper.getProviderId();
if (providerId == null) {
this.signatureAlgorithm =
Signature.getInstance(algorithmID);
} else {
this.signatureAlgorithm =
Signature.getInstance(algorithmID, providerId);
}
} else {
this.signatureAlgorithm = Signature.getInstance(algorithmID,
provider);
}
```
and the same for MessageDigest instead of Signature.
Then I believe that much safer is to use rather
`Signature.getInstance(algorithmID, provider);` and
`MessageDigest.getInstance(algorithmID, provider);` with the `provider` you set
to the `providerName` now, and completely avoid relying on the default
non-final value.
Btw it is also bit weird that the same value is used as a default for
`MessageDigest` and `Signature`, mhm ... seems it is really a "global default
provider".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
