[jira] [Commented] (SYNCOPE-1301) Token creation is not threadsafe

ASF GitHub Bot (JIRA) Thu, 12 Apr 2018 08:13:52 -0700

    [ 
https://issues.apache.org/jira/browse/SYNCOPE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435743#comment-16435743
 ]


ASF GitHub Bot commented on SYNCOPE-1301:
-----------------------------------------

Github user ilgrosso commented on the issue:

    https://github.com/apache/syncope/pull/70
  
    @IsurangaPerera I don't remember the details, but what I can see from the 
source three is that `AccessTokenDataBinderImpl#create` is invoked in two 
places:
    
    1. 
https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/AccessTokenLogic.java#L84
 (plain login)
    1. 
https://github.com/apache/syncope/blob/master/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L549
 (SAML 2.0 login)
    
    The former provides `replaceExisting` as `false`, the latter as `true`.
    
    From the code in `AccessTokenDataBinderImpl#create` I can see that:
    
    * for plain login, JWT is generated only at first invocation
    * for SAML 2.0 login, JWT is generated at every invocation, and existing 
JWT is replaced if existing
    
    Moreover, I cannot recall exactly why the UNIQUE constraint is not imposed 
to AccessToken's `owner`.


> Token creation is not threadsafe
> --------------------------------
>
>                 Key: SYNCOPE-1301
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1301
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8
>            Reporter: Isuranga Perera
>            Priority: Major
>             Fix For: 2.0.9, 2.1.0
>
>
> Token create method in AccessTokenDataBinderImpl[1] is not thread safe. This 
> could result in several problems including
>  * Exist 2 different access token for a particular user at a given time which 
> may result in an exception thrown by method call[2] since it expects a single 
> token a given user.
> In addition to that token replace is implemented as a combination of 2 
> different functionalities. Since the method is not thread safe this may cause 
> some unexpected behaviors (since there can be 2 tokens exist for a particular 
> user. same scenario as above).
> [1] 
> [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L104]
> [2] 
> [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L113]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SYNCOPE-1301) Token creation is not threadsafe

Reply via email to