SimpleXsdSchema is not thread safe [SWS-973]

[gregturn]

Robert Lönnqvist opened SWS-973 and commented

Hi everyone,

We are using spring-ws and discovered an issue in SimpleXsdSchema.

SimpleXsdSchema has a reference to an instance of org.w3c.dom.Element which is not thread safe. This cause issues when multiple clients are requesting the schema file simultaneously. The end result is empty attributes which causes ws clients to fail validating the schema.

I've pushed an example of the issue here.

For now, my workaround is to override SimpleXsdSchema with a version using a ThreadLocal for the element.

---

Affects: 2.4.0

[martinnemec3]

I can confirm that this issue affect also the latest version (3.1.3). Due to this we are getting NPEs in production.

Another working workaround seems to be to override the getSource() method (e.g. return a new ResourceSource instance built out of the original Resource used to create the SimpleXSDSchema object). The following snippet shows the idea:

SimpleXsdSchema schema = new SimpleXsdSchema(resource) {
    @Override
    public Source getSource() {
        try {
            return new ResourceSource(resource);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }
};

[cesure]

Any updates on this? We face the same issue. We have a SimpleXsdSchema @Bean and when multiple clients try to download the XSD at the same time from our SOAP service then the DOM is changed and gets corrupted.

All Spring docs advice to use SimpleXsdSchema for exposing the XSDs but no one seems aware of the problem here.