[
https://issues.apache.org/jira/browse/CXF-7069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15515750#comment-15515750
]
ASF GitHub Bot commented on CXF-7069:
-------------------------------------
GitHub user gonzalad opened a pull request:
https://github.com/apache/cxf/pull/173
[CXF-7069] Finish JPACodeDataProvider implementation
This PR resolves the following issues :
* shared em between all clients.
* error when persisting BearerAccessToken (we annotated OidcUserSubject
attributes with @Lob)
JPACodeDataProvider has now :
* a resource-local entity manager version.
In this version, transactions are managed by JPACodeDataProvider.
* a container-managed entity manager version (CMT).
In this version, transactions are managed by the container (i.e. Spring).
Tests have been added to check both Hibernate and OpenJPA compliance.
Bad news is that overall performance is not quite good.
Here's the number of request issued for basic OIDC / Oauth2 interactions :
```
| | Hibernate CMT | OpenJPA CMT |
| Authorization code flow request | 1 | 8 |
| | S=1 | S=8 |
| Authentication | 1 | 8 |
| | S=1 | S=8 |
| Grant | 9 (5 real) | 16 |
| | S=1,I=7,U=1 | S=8,I=7,U=1 |
| Token Request | 15 (11 real)| 25 |
| | S=2,I=9,U=1,D=3| S=11,I=9,U=1,D=4 |
| Token Introspection | 2 | 14 |
| | S=2 | S=14 |
```
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gonzalad/cxf CXF-7069
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cxf/pull/173.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #173
----
commit 27a95f050bfdbeb9d3e63af11fc2e8c4370ae549
Author: Kai Rommel <[email protected]>
Date: 2016-05-04T00:45:38Z
[CXF-6646] CXF 3.x WSRM Replace RewindableInputStream with
CachedOutputStream
commit 907fbb7b8b437ebfa902b2daeebf610aa5888bdd
Author: Kai Rommel <[email protected]>
Date: 2016-06-03T17:13:12Z
[CXF-6863] WS-RM 3.x fix for retransmission works with attachments upon a
network error
commit dbe659d16f536944afaee85d76715558761936c6
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-07T12:47:57Z
Finishing keys refactor
commit c3bef354ca5cd17e3bc545e03f7c01ac64969867
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-07T16:42:07Z
Prototyping the JAX-RS proxy async support
commit f7db188bb0da238dac2e7714285d5ae3463d6428
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-07T17:04:48Z
Adding a test with multiple JAXRS proxy callbacks
commit 27917f3accef78556fa7ed8e79f1746052bfd4d9
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-07T20:52:39Z
[CXF-6869] Adding rs-client dep to starter-jaxrs
commit 2f56d25eccef5e18222b9bd96083a98871e76af9
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T09:46:17Z
[CXF-6936] Make log-category for ext logging feature configurable, patch
from David Karlsen applied with thanks, This closes #142
commit 98d1eac7b215dbafe697ad9ba14604d22cfc3bed
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T10:19:43Z
[CXF-6935] Better error message than NPE in Compiler.useJava6Compiler,
patch from Gary Gregory applied with thanks
commit 577edfe1de17ebfef3df71a27380f2181958ec26
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T11:02:38Z
[CXF-6918] Better error processing when creating XMLInputFactory, patch
from Svetlin Zarev applied with thanks
commit a1e91a05d9addc0461e98921d07a4c01f4979a63
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T12:49:31Z
[CXF-6869] Applying the last part of the patch from Vedran but with a
property condition as agreed and also updating a scan demo
commit 163e1d2361643251b31b6fdf7def0b52542577dd
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T14:45:47Z
Few updates to JAXRS client proxy async code
commit 214b741754b078e41d471889b7233a90aac017b5
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T15:40:26Z
Updating jaxrs_spring_boot demo to use an interface
commit 553be8f2afd1c54158f1fa2eec20c8b8571f8aef
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-08T16:01:52Z
Fixing jaxrs spring boot scan demo
commit 06fbd75b77597a6b413c72ab845578ba03bf3a21
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-09T09:43:40Z
Updating JAXRS spring boot scan demo to use HelloService interface
commit 2ceb8351e2cd174297c5bf11c389280a33b39fc3
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-09T11:50:37Z
Updating jaxrs spring boot demos to use the application context
commit 83846d088d78a03159b259fb9969052a33904faa
Author: Daniel Kulp <[email protected]>
Date: 2016-06-07T16:05:25Z
Use a "keys" classifier for the jar containing the test keys. Make sure
that is build in package phase for -Pfastinstall to work.
# Conflicts:
# systests/transport-undertow/pom.xml
commit 0572061edf5ab349dc61e77fbb8d360c7521d111
Author: Daniel Kulp <[email protected]>
Date: 2016-06-07T17:52:42Z
Fix UDP tests on my mac
commit 2e7e04b546c73daf61cf5b841db3a104d4fec2eb
Author: Daniel Kulp <[email protected]>
Date: 2016-06-10T17:35:34Z
Recording .gitmergeinfo Changes
commit b4e7dffbaeae4fdf1a20d70cef51e2e44e8960bc
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-13T11:27:55Z
Enabling encryption serializers for outbound
commit cc0eb7f8e1ac8bb9e62f757bba7aca3d10ceb7da
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-17T09:23:07Z
Make it possible to use short KeyTypes with the REST STS rather than the
full WS-Trust URIs
commit 06a86cd527ea393602038a963f9a78103e96c161
Author: Daniel Kulp <[email protected]>
Date: 2016-06-17T16:44:03Z
[CXF-6940] Update javadoc
commit 399249b7f872942b8ce23efc5fc91183ba8b9b0e
Author: Daniel Kulp <[email protected]>
Date: 2016-06-17T16:45:09Z
Recording .gitmergeinfo Changes
commit 0ea13a8e17b88fd4cdf7273b55115c1e48908bfc
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-20T09:05:15Z
[CXF-6945] Fixing a typo in WADL2JavaMojo, patch from Jurrie Overgoor
applied
commit f44f6d7d1e869f6f814ffd940299cc77f1e23d07
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-20T11:38:44Z
Updating JwsUtils to optionally set an X509 chain property on verification
JWKs
commit 84efaebc82361805ea3938803445ede34e8c901e
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-20T15:46:08Z
Recording .gitmergeinfo Changes
commit 9520839dd27899ba4be4dfd430330a2a7f276d96
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-20T17:17:25Z
CXF-6947 - Make it possible to use custom LDAP filters when retrieving
group information
commit edb2304a4e9213051c052017a397b829048a7485
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-20T17:31:58Z
JDK7 fix
commit 8aa894e5d1ea82d795893f4786b00c4237b4d136
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-20T20:51:13Z
[CXF-6948] Optionally blocking WebClient from reporting the URI-based
operation name, removing the optiona query params
commit f1d904238001070e3aae593ed86828f219630bc9
Author: Sergey Beryozkin <[email protected]>
Date: 2016-06-21T10:08:46Z
[CXF-6938] Removing the redundant bus property
commit 55e98022cc19a87549546d176dec2b3e4da83128
Author: Colm O hEigeartaigh <[email protected]>
Date: 2016-06-21T10:17:46Z
CXF-6949 - Add support to the ReceivedTokenCalbackHandler to return a
transformed token
----
> Finish JPACodeDataProvider implementation
> -----------------------------------------
>
> Key: CXF-7069
> URL: https://issues.apache.org/jira/browse/CXF-7069
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.7
> Reporter: gonzalad
>
> Current JPACodeDataProvider has the following issues :
> # Shared entityManager (1 for all clients)
> This is because we're injecting an entityManager into JPACodeDataProvider,
> which is a singleton (from what I understand all dataProviders are to be used
> as singletons).
> This has the following effects :
> ** loading all database in JPA lvl1 cache.
> ** race conditions between threads (we're using bean managed transaction)
> I'm using this kind of configuration :
> {code}
> <bean id="oidcAuthorizationService"
> class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
> <property name="dataProvider" ref="oauthProvider"/>
> <property name="subjectCreator" ref="subjectCreator"/>
> <property name="skipAuthorizationWithOidcScope" value="true"/>
> <property name="canSupportPublicClients" value="true"/>
> </bean>
> <bean id="oauthProvider"
>
> class="org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider"
> init-method="init" destroy-method="close">
> <property name="entityManager" ref="entityManager"/>
> ...
> </bean>
> <bean id="entityManager"
> factory-bean="entityManagerFactory"
> factory-method="createEntityManager"/>
> <bean id="entityManagerFactory"
>
> class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
> {code}
> In our sample, we could resolve this issue by configuring a prototype scoped
> oauthProvider *and* an openEntityInView spring filter *and* setting each
> reference to oauthProvider as aop:scoped-proxy in spring. IMO, this appears
> to me to be too much magic.
> # Error when creating a BearerAccessToken during OIDC authorization code flow
> This can be reproduced by running Fediz OIDCTest.testOIDCLoginForClient2()
> {code}
> Caused by: <openjpa-2.4.1-r422266:1730418 fatal store error>
> org.apache.openjpa.persistence.RollbackException: The transaction has been
> rolled back. See the nested exceptions for details on the errors that
> occurred.
> at
> org.apache.openjpa.persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595)
> at
> org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider.saveCodeGrant(JPACodeDataProvider.java:58)
> at
> org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider.createCodeGrant(JPACodeDataProvider.java:37)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
> at
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
> at com.sun.proxy.$Proxy154.createCodeGrant(Unknown Source)
> at
> org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService.getGrantRepresentation(AuthorizationCodeGrantService.java:139)
> at
> org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService.createGrant(AuthorizationCodeGrantService.java:99)
> at
> org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.startAuthorization(RedirectionBasedGrantService.java:213)
> at
> org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService.startAuthorization(OidcAuthorizationCodeService.java:79)
> at
> org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.startAuthorization(RedirectionBasedGrantService.java:136)
> at
> org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.authorize(RedirectionBasedGrantService.java:94)
> at
> org.apache.cxf.rs.security.oauth2.services.AuthorizationService.authorize(AuthorizationService.java:58)
> at
> org.apache.cxf.rs.security.oauth2.services.AuthorizationService$$FastClassBySpringCGLIB$$411268cd.invoke(<generated>)
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:718)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
> at
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653)
> at
> org.apache.cxf.rs.security.oauth2.services.AuthorizationService$$EnhancerBySpringCGLIB$$68d08bc2.authorize(<generated>)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
> at
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
> ... 35 more
> Caused by: <openjpa-2.4.1-r422266:1730418 fatal general error>
> org.apache.openjpa.persistence.PersistenceException: The transaction has been
> rolled back. See the nested exceptions for details on the errors that
> occurred.
> at
> org.apache.openjpa.kernel.BrokerImpl.newFlushException(BrokerImpl.java:2368)
> at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2205)
> at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:2103)
> at
> org.apache.openjpa.kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:2021)
> at
> org.apache.openjpa.kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
> at org.apache.openjpa.kernel.BrokerImpl.commit(BrokerImpl.java:1526)
> at
> org.apache.openjpa.kernel.DelegatingBroker.commit(DelegatingBroker.java:932)
> at
> org.apache.openjpa.persistence.EntityManagerImpl.commit(EntityManagerImpl.java:571)
> ... 77 more
> Caused by: <openjpa-2.4.1-r422266:1730418 fatal general error>
> org.apache.openjpa.persistence.PersistenceException: data exception: string
> data, right truncation; table: BEARERACCESSTOKEN_PARAMETERS column: VALUE
> {prepstmnt 549315712
> INSERT INTO BearerAccessToken_parameters (BEARERACCESSTOKEN_TOKENKEY,
> propName,
> value)
> VALUES (?, ?, ?)
> [params=(String) 289fdb944ad4f26bc83e970a8a8b8, (String) id_token, (String)
> eyJhbGciOiJSUzI1NiJ9.eyJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbGljZSIsInN1YiI...]}
> [code=3401, state=22001]
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
