This is an automated email from the ASF dual-hosted git repository. wirebaron pushed a commit to branch develop in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/develop by this push: new 80ad2d7 GEODE-4270: remove race condition where CacheClientProxy could be asked to (#1378) 80ad2d7 is described below commit 80ad2d70435fb255a8a2d08c8866fbb30a7bedd3 Author: Brian Rowe <br...@pivotal.io> AuthorDate: Fri Feb 2 11:50:21 2018 -0800 GEODE-4270: remove race condition where CacheClientProxy could be asked to (#1378) authorize a message prior to receiving its security subject. --- .../cache/tier/sockets/CacheClientNotifier.java | 36 +++++++++++++--------- .../cache/tier/sockets/CacheClientProxy.java | 5 +-- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientNotifier.java b/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientNotifier.java index 81bad21..7d67b37 100755 --- a/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientNotifier.java +++ b/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientNotifier.java @@ -14,7 +14,8 @@ */ package org.apache.geode.internal.cache.tier.sockets; -import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIENT_ACCESSOR_PP; +import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIENT_AUTHENTICATOR; import java.io.BufferedOutputStream; import java.io.DataInputStream; @@ -327,20 +328,25 @@ public class CacheClientNotifier { new IllegalArgumentException("Invalid conflation byte"), clientVersion); return; } - - proxy = registerClient(socket, proxyID, proxy, isPrimary, clientConflation, clientVersion, - acceptorId, notifyBySubscription); - + Object subject = null; Properties credentials = HandShake.readCredentials(dis, dos, system, this.cache.getSecurityService()); - if (credentials != null && proxy != null) { + if (credentials != null) { if (securityLogWriter.fineEnabled()) { securityLogWriter .fine("CacheClientNotifier: verifying credentials for proxyID: " + proxyID); } - Object subject = + subject = HandShake.verifyCredentials(authenticator, credentials, system.getSecurityProperties(), this.logWriter, this.securityLogWriter, member, this.cache.getSecurityService()); + } + + Subject shiroSubject = + subject != null && subject instanceof Subject ? (Subject) subject : null; + proxy = registerClient(socket, proxyID, proxy, isPrimary, clientConflation, clientVersion, + acceptorId, notifyBySubscription, shiroSubject); + + if (proxy != null && subject != null) { if (subject instanceof Principal) { Principal principal = (Principal) subject; if (securityLogWriter.fineEnabled()) { @@ -361,8 +367,6 @@ public class CacheClientNotifier { authzCallback.init(principal, member, this.getCache()); } proxy.setPostAuthzCallback(authzCallback); - } else if (subject instanceof Subject) { - proxy.setSubject((Subject) subject); } } } catch (ClassNotFoundException e) { @@ -413,7 +417,8 @@ public class CacheClientNotifier { */ private CacheClientProxy registerClient(Socket socket, ClientProxyMembershipID proxyId, CacheClientProxy proxy, boolean isPrimary, byte clientConflation, Version clientVersion, - long acceptorId, boolean notifyBySubscription) throws IOException, CacheException { + long acceptorId, boolean notifyBySubscription, Subject subject) + throws IOException, CacheException { CacheClientProxy l_proxy = proxy; // Initialize the socket @@ -456,10 +461,12 @@ public class CacheClientNotifier { "CacheClientNotifier: No proxy exists for durable client with id {}. It must be created.", proxyId.getDurableId()); } - l_proxy = new CacheClientProxy(this, socket, proxyId, isPrimary, clientConflation, - clientVersion, acceptorId, notifyBySubscription, this.cache.getSecurityService()); + l_proxy = + new CacheClientProxy(this, socket, proxyId, isPrimary, clientConflation, clientVersion, + acceptorId, notifyBySubscription, this.cache.getSecurityService(), subject); successful = this.initializeProxy(l_proxy); } else { + l_proxy.setSubject(subject); if (proxy.isPrimary()) { epType = (byte) 2; } else { @@ -534,8 +541,9 @@ public class CacheClientNotifier { if (toCreateNewProxy) { // Create the new proxy for this non-durable client - l_proxy = new CacheClientProxy(this, socket, proxyId, isPrimary, clientConflation, - clientVersion, acceptorId, notifyBySubscription, this.cache.getSecurityService()); + l_proxy = + new CacheClientProxy(this, socket, proxyId, isPrimary, clientConflation, clientVersion, + acceptorId, notifyBySubscription, this.cache.getSecurityService(), subject); successful = this.initializeProxy(l_proxy); } } diff --git a/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java b/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java index f915b0d..d584825 100644 --- a/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java +++ b/geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java @@ -337,7 +337,7 @@ public class CacheClientProxy implements ClientSession { protected CacheClientProxy(CacheClientNotifier ccn, Socket socket, ClientProxyMembershipID proxyID, boolean isPrimary, byte clientConflation, Version clientVersion, long acceptorId, boolean notifyBySubscription, - SecurityService securityService) throws CacheException { + SecurityService securityService, Subject subject) throws CacheException { initializeTransientFields(socket, proxyID, isPrimary, clientConflation, clientVersion); this._cacheClientNotifier = ccn; @@ -351,6 +351,7 @@ public class CacheClientProxy implements ClientSession { this._statistics = new CacheClientProxyStats(factory, "id_" + this.proxyID.getDistributedMember().getId() + "_at_" + this._remoteHostAddress + ":" + this._socket.getPort()); + this.subject = subject; // Create the interest list this.cils[RegisterInterestTracker.interestListIndex] = @@ -392,7 +393,7 @@ public class CacheClientProxy implements ClientSession { // TODO:hitesh synchronization synchronized (this.clientUserAuthsLock) { if (this.subject != null) { - subject.logout(); + this.subject.logout(); } this.subject = subject; } -- To stop receiving notification emails like this one, please contact wireba...@apache.org.