Hi Francesco, I will take a scenario. Suppose a scenario where thread A & thread B try to login user admin.
1. thread A checks if a token exist for the user admin (suppose currently there is no token associated with the admin) 2. Then thread A execute following logic to create and save the token. 3. Before thread A save the token for user admin thread B checks if a token exist for user admin (since the toked created by thread A is not yet saved *exist == null*) 4. Then thread A complete the creation of token (and saving) 5. Thread B also complete the creation and saving of the token. That way there can be 2 tokens for a particular user.  https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L119 Best Regards Isuranga Perera On Mon, Apr 9, 2018 at 11:42 AM, Francesco Chicchiriccò <ilgro...@apache.org > wrote: > On 09/04/2018 07:07, Isuranga Perera wrote: > >> Hi All, >> >> Token create method in AccessTokenDataBinderImpl is not thread safe. >> > > Could you please explain why you're affirming this? > > This could result in several problems including >> >> * Exist 2 different access token for a particular user at a given >> time which may result in an exception thrown by method call >> since it expects a single token a given user. >> >> In addition to that token replace is implemented as a combination of 2 >> different functionalities. Since the method is not thread safe this may >> cause some unexpected behaviors (since there can be 2 tokens exist for a >> particular user. same scenario as above). >> >> Appreciate your insight on the $subject. >> >> >>  https://github.com/apache/syncope/blob/master/core/provision >> ing-java/src/main/java/org/apache/syncope/core/provisioni >> ng/java/data/AccessTokenDataBinderImpl.java#L104 >> >>  https://github.com/apache/syncope/blob/master/core/provision >> ing-java/src/main/java/org/apache/syncope/core/provisioni >> ng/java/data/AccessTokenDataBinderImpl.java#L113 >> >> Best Regards >> Isuranga Perera >> > > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > >