[
https://issues.apache.org/jira/browse/SYNCOPE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435575#comment-16435575
]
ASF GitHub Bot commented on SYNCOPE-1301:
-----------------------------------------
Github user ilgrosso commented on a diff in the pull request:
https://github.com/apache/syncope/pull/70#discussion_r181086944
--- Diff:
core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAAccessTokenDAO.java
---
@@ -115,6 +115,16 @@ public AccessToken save(final AccessToken accessToken)
{
return entityManager().merge(accessToken);
}
+ @Override
+ @Transactional(rollbackFor = Throwable.class)
--- End diff --
Please remove this annotation, it is redundant..
> Token creation is not threadsafe
> --------------------------------
>
> Key: SYNCOPE-1301
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1301
> Project: Syncope
> Issue Type: Bug
> Components: core
> Affects Versions: 2.0.8
> Reporter: Isuranga Perera
> Priority: Major
> Fix For: 2.0.9, 2.1.0
>
>
> Token create method in AccessTokenDataBinderImpl[1] is not thread safe. This
> could result in several problems including
> * Exist 2 different access token for a particular user at a given time which
> may result in an exception thrown by method call[2] since it expects a single
> token a given user.
> In addition to that token replace is implemented as a combination of 2
> different functionalities. Since the method is not thread safe this may cause
> some unexpected behaviors (since there can be 2 tokens exist for a particular
> user. same scenario as above).
> [1]
> [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L104]
> [2]
> [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L113]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
