[ https://issues.apache.org/jira/browse/SYNCOPE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435756#comment-16435756 ]
ASF GitHub Bot commented on SYNCOPE-1301: ----------------------------------------- Github user IsurangaPerera commented on the issue: https://github.com/apache/syncope/pull/70 @ilgrosso As I understand in SAML SP logic always replaced. So even when we logged, as usual, the access token may changed by SAML SP. So I can understand the importance of what replaceExisitng flag does. After imposing the UNIQUE constraint as in my implementation replaceExisting == true works as expected(always).But sometimes even if the flag is false the token may be replaced (scenario discussed in mail thread). But this is only when the same user tries to log in at the same time & thread not safe problem aise. Anyway this approach is far better than using locks which causes performance drop and this is a rare case as well. What do you think? > Token creation is not threadsafe > -------------------------------- > > Key: SYNCOPE-1301 > URL: https://issues.apache.org/jira/browse/SYNCOPE-1301 > Project: Syncope > Issue Type: Bug > Components: core > Affects Versions: 2.0.8 > Reporter: Isuranga Perera > Priority: Major > Fix For: 2.0.9, 2.1.0 > > > Token create method in AccessTokenDataBinderImpl[1] is not thread safe. This > could result in several problems including > * Exist 2 different access token for a particular user at a given time which > may result in an exception thrown by method call[2] since it expects a single > token a given user. > In addition to that token replace is implemented as a combination of 2 > different functionalities. Since the method is not thread safe this may cause > some unexpected behaviors (since there can be 2 tokens exist for a particular > user. same scenario as above). > [1] > [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L104] > [2] > [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L113] -- This message was sent by Atlassian JIRA (v7.6.3#76005)