Hi Giovanni, Indeed this seems to be a valid bug on Ldap module, so please can you create an issue for this on?:
https://osgeo-org.atlassian.net/projects/GEOS/summary The fix code looks good, but community will need to create a test checking this issue, so a full and detailed LDAP testing setup triggering the exception would be nice to have. Regards, Fernando Mino == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Fernando Mino Software Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail. From "Giovanni Spigoni" giovanni.spig...@comune.re.it To "geoserver-users@lists.sourceforge.net" geoserver-users@lists.sourceforge.net Cc Date Thu, 6 Feb 2020 12:50:20 +0100 (CET) Subject [Geoserver-users] hierarchical group search with LDAP generates a ConcurrentModificationException Hi all, some days ago I have posted on gis.stackexchange a question (https://gis.stackexchange.com/questions/349065/ldap-role-service-with-hierarchical-groups-search for details) about an error given by the LDAP hierarchical groups search in geoserver 2.16.1 with Tomcat 7 and openjdk 1.8.0_212. The error occurs both in LDAP Role Service and in LDAP User/Group Service only when the hierarchical group search is enabled. The error given by the geoserver is a HTTP 500 Internal Server Error and the following stack trace is displayed: java.util.ConcurrentModificationException java.util.TreeMap$PrivateEntryIterator.nextEntry(TreeMap.java:1211) java.util.TreeMap$KeyIterator.next(TreeMap.java:1265) org.geoserver.security.ldap.LDAPRoleService.getRolesForUser(LDAPRoleService.java:181) org.geoserver.security.impl.RoleCalculator.calculateRoles(RoleCalculator.java:109) org.geoserver.security.impl.RoleCalculator.calculateRoles(RoleCalculator.java:81) org.geoserver.security.filter.GeoServerPreAuthenticatedUserNameFilter.getRolesFromRoleService(GeoServerPreAuthenticatedUserNameFilter.java:188) org.geoserver.security.filter.GeoServerPreAuthenticatedUserNameFilter.getRoles(GeoServerPreAuthenticatedUserNameFilter.java:150) org.geoserver.security.filter.GeoServerPreAuthenticationFilter.doAuthenticate(GeoServerPreAuthenticationFilter.java:116) org.geoserver.security.filter.GeoServerPreAuthenticationFilter.doFilter(GeoServerPreAuthenticationFilter.java:56) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) By analysing the code of the LDAPRoleService class and the related error it came up it could be a bug in the code. Considering the following code of the LDAPRoleService class, I see that the object roles of type TreeSet is modified by the searchNestedParetRoles method while the getRolesForUsers method iterates on it. @Override public SortedSet<GeoServerRole> getRolesForUser(final String username) throws IOException { final SortedSet<GeoServerRole> roles = new TreeSet<GeoServerRole>(); ... ... if (useNestedGroups) { for (GeoServerRole erole : roles) { <-----------this line generates the error (line 181) searchNestedParentRoles(erole, roles, 1); } } return Collections.unmodifiableSortedSet(roles); } private void searchNestedParentRoles(GeoServerRole role, Set<GeoServerRole> roles, int depth) { if (isOutOfDepthBounds(depth)) return; for (GeoServerRole erole : getParentRolesbyMember(role)) { if (!roles.contains(erole)) { roles.add(erole); searchNestedParentRoles(erole, roles, depth + 1); } } } The Oracle's documentation about the TreeSet class states that "The iterators returned by this class's iterator method are fail-fast: if the set is modified at any time after the iterator is created, in any way except through the iterator's own remove method, the iterator will throw a ConcurrentModificationException". If I'm not totally wrong, our case is the one described by the documentation and indeed we get the ConcurrentModificationException. We could avoid the error by adding two line of code in the getRolesForUser method: @Override public SortedSet<GeoServerRole> getRolesForUser(final String username) throws IOException { final SortedSet<GeoServerRole> roles = new TreeSet<GeoServerRole>(); final SortedSet<GeoServerRole> parentRoles = new TreeSet<GeoServerRole>(); // new set containing only nested parent roles ... ... if (useNestedGroups) { for (GeoServerRole erole : roles) { searchNestedParentRoles(erole, parentRoles, 1); // parentRoles instead of roles passed to searchNestedParentRoles } roles.addAll(parentRoles); // merge of the roles } return Collections.unmodifiableSortedSet(roles); } Regards __________________________________________ Giovanni Spigoni Gestione e Sviluppo delle Tecnologie e dei Sistemi Informativi Comune di Reggio nell'Emilia Piazza Scapinelli, 2 - 42121 Reggio nell'Emilia tel: 0522 585185 email: giovanni.spig...@comune.re.it __________________________________________
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users