syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "DmitriyB. (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SYNCOPE-1386) Not committed managed objects can get into L2 cache.
Date Fri, 19 Oct 2018 18:32:00 GMT

     [ https://issues.apache.org/jira/browse/SYNCOPE-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

DmitriyB. updated SYNCOPE-1386:
-------------------------------
    Description: 
Hi guys. I noticed the issue that leads to inconsistent data that comes in HTTP response.

In Apache Syncope the Application Scoped Entity manager is used for all operations with the
database. Entity manager is created by appropriate Entity Manager Factory that matches a particular
domain. Thus, the scope of Persistence Context is extended and also it is bound to a current
thread.
Moreover, Entity Manager that is created by Entity Manager Factory is Transactional. Thus
any execution using entity manager without opened transaction leads to exception like (which
is fine):
{code:java}
java.lang.IllegalStateException: Could not find EntityManager for domain dbrashevets
at org.apache.syncope.core.persistence.jpa.dao.AbstractDAO.entityManager(AbstractDAO.java:41)
~[syncope-core-persistence-jpa-2.0.8.jar:?]
at org.apache.syncope.core.persistence.jpa.dao.JPAUserDAO.findByUsername(JPAUserDAO.java:209)
~[syncope-core-persistence-jpa-2.0.8.jar:?]
at sun.reflect.GeneratedMethodAccessor232.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45005)
~[?:1.8.0_151]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at com.sun.proxy.$Proxy74.findByUsername(Unknown Source) ~[?:?]{code}
 
In Apache Syncope L2 cache is enabled by default. 
syncope-core-persistence-jpa-2.0.8.jar!\domains.xml file has a property
{code:java}
<entry key="openjpa.DataCache" value="true"/>
{code}
If the transaction is opened, the entity, that is fetched via Entity Manager gets into L1
cache and L2 cache and becomes managed.

If an exception occurs L1 cache is being destroyed because Entity Manager is bound to a current
thread. Managed entity becomes detached. But L2 cache can have this detached entity.

 

Here is an example of code where it can be reproduced.

[https://github.com/apache/syncope/blob/443f5a38ea45f15c092c41abb202f897c795c5f2/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.java#L397] 

 

Here is the use-case how to reproduce the problem:

1. Create user in Syncope
2. Do a request password reset action and make sure that token that is used for pwd reset
action is generated and stored into database.
3. Restart your application to be sure that L2 cache is empty.
4. Confirm password reset action for this user and make sure that requested password doesn't
apply the password rules. In my case password is too short. The exception like "InvalidUser:InvalidPassword:
Password too short" should be thrown. 
5. Request the user by username. The user that comes in HTTP Response doesn't have "token"
and "tokenExpireTime" attributes. But you may find "token" and "tokenExpireTime" value in
SyncopeUser table for this user.

 

  was:
Hi guys. I noticed the issue that leads to inconsistent data that comes in HTTP response.

In Apache Syncope the Application Scoped Entity manager is used for all operations with the
database. Entity manager is created by appropriate Entity Manager Factory that matches a particular
domain. Thus, the scope of Persistence Context is extended and also it is bound to a current
thread.
Moreover, Entity Manager that is created by Entity Manager Factory is Transactional. Thus
any execution using entity manager without opened transaction leads to exception like (which
is fine):
{code:java}
java.lang.IllegalStateException: Could not find EntityManager for domain dbrashevets
at org.apache.syncope.core.persistence.jpa.dao.AbstractDAO.entityManager(AbstractDAO.java:41)
~[syncope-core-persistence-jpa-2.0.8.jar:?]
at org.apache.syncope.core.persistence.jpa.dao.JPAUserDAO.findByUsername(JPAUserDAO.java:209)
~[syncope-core-persistence-jpa-2.0.8.jar:?]
at sun.reflect.GeneratedMethodAccessor232.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45005)
~[?:1.8.0_151]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at com.sun.proxy.$Proxy74.findByUsername(Unknown Source) ~[?:?]{code}
 
In Apache Syncope L2 cache is enabled by default. 
syncope-core-persistence-jpa-2.0.8.jar!\domains.xml file has a property
{code:java}
<entry key="openjpa.DataCache" value="true"/>
{code}
If the transaction is opened, the entity, that is fetched via Entity Manager gets into L1
cache and L2 cache and becomes managed.

If an exception occurs L1 cache is being destroyed because Entity Manager is bound to a current
thread. Managed entity becomes detached. But L2 cache can have this detached entity.

Here is an example of code where it can be reproduced.

[https://github.com/apache/syncope/blob/443f5a38ea45f15c092c41abb202f897c795c5f2/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.java#L397] 

 

Here is the use-case how to reproduce the problem:

1. Create user in Syncope
2. Do a request password reset action and make sure that token that is used for pwd reset
action is generated and stored into database.
3. Restart your application to be sure that L2 cache is empty.
4. Confirm password reset action for this user and make sure that requested password doesn't
apply the password rules. In my case password is too short. The exception like "InvalidUser:InvalidPassword:
Password too short" should be thrown. 
5. Request the user by username. The user that comes in HTTP Response doesn't have "token"
and "tokenExpireTime" attributes. But you may find "token" and "tokenExpireTime" value in
SyncopeUser table for this user.

 


> Not committed managed objects can get into L2 cache.
> ----------------------------------------------------
>
>                 Key: SYNCOPE-1386
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1386
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8
>            Reporter: DmitriyB.
>            Priority: Major
>         Attachments: confirm_pwd_reset_action.sh
>
>
> Hi guys. I noticed the issue that leads to inconsistent data that comes in HTTP response.
> In Apache Syncope the Application Scoped Entity manager is used for all operations with
the database. Entity manager is created by appropriate Entity Manager Factory that matches
a particular domain. Thus, the scope of Persistence Context is extended and also it is bound
to a current thread.
> Moreover, Entity Manager that is created by Entity Manager Factory is Transactional.
Thus any execution using entity manager without opened transaction leads to exception like
(which is fine):
> {code:java}
> java.lang.IllegalStateException: Could not find EntityManager for domain dbrashevets
> at org.apache.syncope.core.persistence.jpa.dao.AbstractDAO.entityManager(AbstractDAO.java:41)
~[syncope-core-persistence-jpa-2.0.8.jar:?]
> at org.apache.syncope.core.persistence.jpa.dao.JPAUserDAO.findByUsername(JPAUserDAO.java:209)
~[syncope-core-persistence-jpa-2.0.8.jar:?]
> at sun.reflect.GeneratedMethodAccessor232.invoke(Unknown Source) ~[?:?]
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45005)
~[?:1.8.0_151]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
> at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE]
> at com.sun.proxy.$Proxy74.findByUsername(Unknown Source) ~[?:?]{code}
>  
> In Apache Syncope L2 cache is enabled by default. 
> syncope-core-persistence-jpa-2.0.8.jar!\domains.xml file has a property
> {code:java}
> <entry key="openjpa.DataCache" value="true"/>
> {code}
> If the transaction is opened, the entity, that is fetched via Entity Manager gets into
L1 cache and L2 cache and becomes managed.
> If an exception occurs L1 cache is being destroyed because Entity Manager is bound to
a current thread. Managed entity becomes detached. But L2 cache can have this detached entity.
>  
> Here is an example of code where it can be reproduced.
> [https://github.com/apache/syncope/blob/443f5a38ea45f15c092c41abb202f897c795c5f2/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.java#L397] 
>  
> Here is the use-case how to reproduce the problem:
> 1. Create user in Syncope
> 2. Do a request password reset action and make sure that token that is used for pwd reset
action is generated and stored into database.
> 3. Restart your application to be sure that L2 cache is empty.
> 4. Confirm password reset action for this user and make sure that requested password
doesn't apply the password rules. In my case password is too short. The exception like "InvalidUser:InvalidPassword:
Password too short" should be thrown. 
> 5. Request the user by username. The user that comes in HTTP Response doesn't have "token"
and "tokenExpireTime" attributes. But you may find "token" and "tokenExpireTime" value in
SyncopeUser table for this user.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message