ASF GitHub Bot commented on SYNCOPE-1301:
Github user ilgrosso commented on the issue:
@IsurangaPerera I don't remember the details, but what I can see from the
source three is that `AccessTokenDataBinderImpl#create` is invoked in two
(SAML 2.0 login)
The former provides `replaceExisting` as `false`, the latter as `true`.
From the code in `AccessTokenDataBinderImpl#create` I can see that:
* for plain login, JWT is generated only at first invocation
* for SAML 2.0 login, JWT is generated at every invocation, and existing
JWT is replaced if existing
Moreover, I cannot recall exactly why the UNIQUE constraint is not imposed
to AccessToken's `owner`.
> Token creation is not threadsafe
> Key: SYNCOPE-1301
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1301
> Project: Syncope
> Issue Type: Bug
> Components: core
> Affects Versions: 2.0.8
> Reporter: Isuranga Perera
> Priority: Major
> Fix For: 2.0.9, 2.1.0
> Token create method in AccessTokenDataBinderImpl is not thread safe. This
> could result in several problems including
> * Exist 2 different access token for a particular user at a given time which
> may result in an exception thrown by method call since it expects a single
> token a given user.
> In addition to that token replace is implemented as a combination of 2
> different functionalities. Since the method is not thread safe this may cause
> some unexpected behaviors (since there can be 2 tokens exist for a particular
> user. same scenario as above).
This message was sent by Atlassian JIRA