[jira] [Commented] (SYNCOPE-1301) Token creation is not threadsafe

Thu, 12 Apr 2018 08:51:36 -0700 

    [ 
https://issues.apache.org/jira/browse/SYNCOPE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435813#comment-16435813
 ] 

ASF GitHub Bot commented on SYNCOPE-1301:
-----------------------------------------

Github user ilgrosso commented on the issue:

    https://github.com/apache/syncope/pull/70
  
    > That way replace won't work since it saves first (2 tokens exist.violate 
UNIQUE constraint) and deletes next. That way it will only delete the existing 
one which results in no token at all.
    
    You are right, but as you can see, in the [current 
implementation](https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L138-L142)
 save and delete do not happen under the same conditions.



> Token creation is not threadsafe
> --------------------------------
>
>                 Key: SYNCOPE-1301
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1301
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8
>            Reporter: Isuranga Perera
>            Priority: Major
>             Fix For: 2.0.9, 2.1.0
>
>
> Token create method in AccessTokenDataBinderImpl[1] is not thread safe. This 
> could result in several problems including
>  * Exist 2 different access token for a particular user at a given time which 
> may result in an exception thrown by method call[2] since it expects a single 
> token a given user.
> In addition to that token replace is implemented as a combination of 2 
> different functionalities. Since the method is not thread safe this may cause 
> some unexpected behaviors (since there can be 2 tokens exist for a particular 
> user. same scenario as above).
> [1] 
> [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L104]
> [2] 
> [https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java#L113]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to