syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SYNCOPE-1301) Token creation is not threadsafe
Date Thu, 12 Apr 2018 14:26:00 GMT

    [ https://issues.apache.org/jira/browse/SYNCOPE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435668#comment-16435668
] 

ASF GitHub Bot commented on SYNCOPE-1301:
-----------------------------------------

Github user ilgrosso commented on a diff in the pull request:

    https://github.com/apache/syncope/pull/70#discussion_r181100663
  
    --- Diff: core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAAccessTokenDAO.java
---
    @@ -115,6 +115,16 @@ public AccessToken save(final AccessToken accessToken) {
             return entityManager().merge(accessToken);
         }
     
    +    @Override
    +    public AccessToken replace(final AccessToken accessToken) {
    +        AccessToken existing = findByOwner(accessToken.getOwner());
    +        if (existing != null) {
    +            delete(existing.getKey());
    +        }
    +
    +        return entityManager().merge(accessToken);
    --- End diff --
    
    replace `entityManager().merge(accessToken)` with `save(accesToken)`


> Token creation is not threadsafe
> --------------------------------
>
>                 Key: SYNCOPE-1301
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1301
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8
>            Reporter: Isuranga Perera
>            Priority: Major
>             Fix For: 2.0.9, 2.1.0
>
>
> Token create method in AccessTokenDataBinderImpl[1] is not thread safe. This could result
in several problems including
>  * Exist 2 different access token for a particular user at a given time which may result
in an exception thrown by method call[2] since it expects a single token a given user.
> In addition to that token replace is implemented as a combination of 2 different functionalities.
Since the method is not thread safe this may cause some unexpected behaviors (since there
can be 2 tokens exist for a particular user. same scenario as above).
> [1] [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L104]
> [2] [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L113]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message