syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (SYNCOPE-1301) Token creation is not threadsafe
Date Thu, 12 Apr 2018 15:13:00 GMT


ASF GitHub Bot commented on SYNCOPE-1301:

Github user ilgrosso commented on the issue:
    @IsurangaPerera I don't remember the details, but what I can see from the source three
is that `AccessTokenDataBinderImpl#create` is invoked in two places:
(plain login)
(SAML 2.0 login)
    The former provides `replaceExisting` as `false`, the latter as `true`.
    From the code in `AccessTokenDataBinderImpl#create` I can see that:
    * for plain login, JWT is generated only at first invocation
    * for SAML 2.0 login, JWT is generated at every invocation, and existing JWT is replaced
if existing
    Moreover, I cannot recall exactly why the UNIQUE constraint is not imposed to AccessToken's

> Token creation is not threadsafe
> --------------------------------
>                 Key: SYNCOPE-1301
>                 URL:
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8
>            Reporter: Isuranga Perera
>            Priority: Major
>             Fix For: 2.0.9, 2.1.0
> Token create method in AccessTokenDataBinderImpl[1] is not thread safe. This could result
in several problems including
>  * Exist 2 different access token for a particular user at a given time which may result
in an exception thrown by method call[2] since it expects a single token a given user.
> In addition to that token replace is implemented as a combination of 2 different functionalities.
Since the method is not thread safe this may cause some unexpected behaviors (since there
can be 2 tokens exist for a particular user. same scenario as above).
> [1] []
> [2] []

This message was sent by Atlassian JIRA

View raw message