Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to org.apache.santuario:xmlsec:3.0.2 #1332

Closed
cachescrubber opened this issue Feb 8, 2023 · 1 comment
Closed

Upgrade to org.apache.santuario:xmlsec:3.0.2 #1332

cachescrubber opened this issue Feb 8, 2023 · 1 comment
Assignees
@gregturn
Labels
dependencies Pull requests that update a dependency file in: security type: task
Milestone
4.0.3

Comments

@cachescrubber
Copy link
Contributor

In Version 3.0.1 Apache Santuario introduced a Bug which could cause applications using org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor to block indefinitely. We already created an upstream Issue SANTUARIO-598 .

Spring Web Services should consider to downgrade the managed dependency to org.apache.santuario:xmlsec:3.0.0 or at least add a warning in the release notes.

Here is a typical Thread Dump of an affected application.

"http-nio-8080-exec-1" - Thread t@24
   java.lang.Thread.State: BLOCKED
	at java.base@17.0.6/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:547)
	- waiting to lock <577bfadd> (a java.lang.Object) owned by "http-nio-8080-exec-8" t@31
	at java.base@17.0.6/sun.security.provider.NativePRNG$Blocking.engineNextBytes(NativePRNG.java:269)
	at java.base@17.0.6/java.security.SecureRandom.nextBytes(SecureRandom.java:758)
	at org.apache.xml.security.stax.ext.XMLSecurityConstants.generateBytes(XMLSecurityConstants.java:85)
	at org.apache.wss4j.dom.util.WSSecurityUtil.generateNonce(WSSecurityUtil.java:644)
	at org.apache.wss4j.dom.message.token.UsernameToken.addNonce(UsernameToken.java:291)
	at org.apache.wss4j.dom.message.token.UsernameToken.<init>(UsernameToken.java:258)
	at org.apache.wss4j.dom.message.WSSecUsernameToken.prepare(WSSecUsernameToken.java:170)
	at org.apache.wss4j.dom.message.WSSecUsernameToken.build(WSSecUsernameToken.java:231)
	at org.apache.wss4j.dom.message.WSSecUsernameToken.build(WSSecUsernameToken.java:238)
	at org.apache.wss4j.dom.action.UsernameTokenAction.execute(UsernameTokenAction.java:69)
	at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:240)
	at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:58)
	at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:609)
	at org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:206)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:575)
	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:538)
	at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390)

To mitigate the issue, the system property org.apache.xml.security.securerandom.algorithm could be set to use a non-blocking algorithm.

  @PostConstruct
  public void init() {
    // SANTUARIO-589 - Enable configurable RNG in initialization of XMlSecurityConstants
    // override RNG algorithm, otherwise a BLOCKING algorithm is used.
    System.getProperties().setProperty("org.apache.xml.security.securerandom.algorithm", "SHA1PRNG");
  }
@gregturn gregturn changed the title Warning: Bug in org.apache.santuario:xmlsec:3.0.1 might block applications using Wss4j Upgrade to org.apache.santuario:xmlsec:3.0.2 Apr 18, 2023
@gregturn gregturn self-assigned this Apr 18, 2023
@gregturn gregturn added type: task dependencies Pull requests that update a dependency file in: security labels Apr 18, 2023
@gregturn gregturn added this to the 4.0.3 milestone Apr 18, 2023
@gregturn
Copy link
Contributor

See apache/santuario-xml-security-java#120 for the original patch to XMLSEC.

@markreesmoj markreesmoj mentioned this issue Oct 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gregturn gregturn

Labels
dependencies Pull requests that update a dependency file in: security type: task
Projects
None yet
Milestone
4.0.3
Development

No branches or pull requests
2 participants
@gregturn @cachescrubber