[
https://issues.apache.org/jira/browse/SYNCOPE-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
DmitriyB. updated SYNCOPE-1386:
-------------------------------
Description:
Hi guys. I noticed the issue that leads to inconsistent data that comes in HTTP
response.
In Apache Syncope L2 cache is enabled by default.
syncope-core-persistence-jpa-2.0.8.jar!\domains.xml file has a property
{code:java}
<entry key="openjpa.DataCache" value="true"/>
{code}
If the transaction is opened, the entity, that is fetched via Entity Manager
gets into L1 cache and L2 cache and becomes managed.
If an exception occurs L1 cache is being destroyed because Entity Manager is
bound to a current thread. Managed entity becomes detached. But L2 cache can
have this detached entity.
Here is an example of code where it can be reproduced.
[https://github.com/apache/syncope/blob/443f5a38ea45f15c092c41abb202f897c795c5f2/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.java#L397]
Here is the use-case how to reproduce the problem:
1. Create user in Syncope
2. Do a request password reset action and make sure that token that is used for
pwd reset action is generated and stored into database.
3. Restart your application to be sure that L2 cache is empty.
4. Confirm password reset action for this user and make sure that requested
password doesn't apply the password rules. In my case password is too short.
The exception like "InvalidUser:InvalidPassword: Password too short" should be
thrown.
5. Request the user by username. The user that comes in HTTP Response doesn't
have "token" and "tokenExpireTime" attributes. But you may find "token" and
"tokenExpireTime" value in SyncopeUser table for this user.
was:
Hi guys. I noticed the issue that leads to inconsistent data that comes in HTTP
response.
In Apache Syncope L2 cache is enabled by default.
syncope-core-persistence-jpa-2.0.8.jar!\domains.xml file has a property
{code:java}
<entry key="openjpa.DataCache" value="true"/>
{code}
If the transaction is opened, the entity, that is fetched via Entity Manager
gets into L1 cache and L2 cache and becomes managed.
If an exception occurs L1 cache is being destroyed because Entity Manager is
bound to a current thread. Managed entity becomes detached. But L2 cache can
have this detached entity.
Here is an example of code where it can be reproduced.
[https://github.com/apache/syncope/blob/443f5a38ea45f15c092c41abb202f897c795c5f2/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.java#L397]
Here is the use-case how to reproduce the problem:
1. Create user in Syncope
2. Do a request password reset action and make sure that token that is used for
pwd reset action is generated and stored into database.
3. Restart your application to be sure that L2 cache is empty.
4. Confirm password reset action for this user and make sure that requested
password doesn't apply the password rules. In my case password is too short.
The exception like "InvalidUser:InvalidPassword: Password too short" should be
thrown.
5. Request the user by username. The user that comes in HTTP Response doesn't
have "token" and "tokenExpireTime" attributes. But you may find "token" and
"tokenExpireTime" value in SyncopeUser table for this user.
In our application that is based on Syncope 2.0.8, I always clean the L2 cache
when transaction is rolled back in
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.
_invoke(..)_ method looks like this:
{code:java}
@Override
public Object invoke(final MethodInvocation invocation) throws Throwable {
try {
return super.invoke(invocation);
} catch (Throwable e) {
EntityManagerFactory entityManagerFactory =
EntityManagerFactoryUtils.findEntityManagerFactory(
ApplicationContextProvider.getBeanFactory(), AuthContextUtils.getDomain());
Cache l2Cache = entityManagerFactory.getCache();
if (l2Cache != null) {
l2Cache.evictAll();
}
LOG.debug("Error during {} invocation", invocation.getMethod(), e);
throw e;
}
}
{code}
This is the guarantee for that corrected data won't come in response, but I'm
destroying the cache all the time when exception is thrown from one of
@Transactional methods.
You can find an example in confirm_pwd_reset_action.sh script. You can run it
by executing the command:
"./confirm_pwd_reset_action.sh | tee temp.log"
Here I'm trying to do confirm-password-reset action after 5 minutes of waiting
with the password that doesn't match the rules. And then I'm requesting user by
username. In response it comes without "token" and "tokenExpireTime".
> Not committed managed objects can get into L2 cache.
> ----------------------------------------------------
>
> Key: SYNCOPE-1386
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1386
> Project: Syncope
> Issue Type: Bug
> Components: core
> Affects Versions: 2.0.8
> Reporter: DmitriyB.
> Priority: Major
> Attachments: confirm_pwd_reset_action.sh
>
>
> Hi guys. I noticed the issue that leads to inconsistent data that comes in
> HTTP response.
>
> In Apache Syncope L2 cache is enabled by default.
> syncope-core-persistence-jpa-2.0.8.jar!\domains.xml file has a property
> {code:java}
> <entry key="openjpa.DataCache" value="true"/>
> {code}
> If the transaction is opened, the entity, that is fetched via Entity Manager
> gets into L1 cache and L2 cache and becomes managed.
> If an exception occurs L1 cache is being destroyed because Entity Manager is
> bound to a current thread. Managed entity becomes detached. But L2 cache can
> have this detached entity.
> Here is an example of code where it can be reproduced.
> [https://github.com/apache/syncope/blob/443f5a38ea45f15c092c41abb202f897c795c5f2/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.java#L397]
>
>
> Here is the use-case how to reproduce the problem:
> 1. Create user in Syncope
> 2. Do a request password reset action and make sure that token that is used
> for pwd reset action is generated and stored into database.
> 3. Restart your application to be sure that L2 cache is empty.
> 4. Confirm password reset action for this user and make sure that requested
> password doesn't apply the password rules. In my case password is too short.
> The exception like "InvalidUser:InvalidPassword: Password too short" should
> be thrown.
> 5. Request the user by username. The user that comes in HTTP Response doesn't
> have "token" and "tokenExpireTime" attributes. But you may find "token" and
> "tokenExpireTime" value in SyncopeUser table for this user.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
