March 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-8431) Race conditions in JASPIC registration code

by István Tóth (JIRA)

[ https://issues.jboss.org/browse/WFLY-8431?page=com.atlassian.jira.plugin.... ] István Tóth edited comment on WFLY-8431 at 3/23/17 10:41 AM: ------------------------------------------------------------- Further analysis: In the above example the following code snippet registers the AuthConfiProvider: logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId; It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: ----------------------------------------------------------------------------------------------------- 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " ------------------------------------------------------------------------------------------------------------ The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : --------------------------------------------------------------------------------------------------------------- 2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " ----------------------------------------------------------------------------------------------------------------- This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. was (Author: stoty2): Further analysis: In the above example the following code snippet registers the AuthConfiProvider: logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId; It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : 2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. > Race conditions in JASPIC registration code > ------------------------------------------- > > Key: WFLY-8431 > URL: https://issues.jboss.org/browse/WFLY-8431 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 10.1.0.Final > Environment: Centos 7 x86_64, with the included Java 8 environment > Reporter: István Tóth > Assignee: Darran Lofthouse > > javax.security.auth.message.config.AuthConfigFactory and > org.jboss.security.auth.message.config.JBossAuthConfigFactory > have race conditions. > 1. javax.security.auth.message.config.AuthConfigFactory#getFactory() has a race condition. The checking and creation of the _factory object is not atomic. > I think the best and simplest solution would be to simply make the getFactory() method synchronized. (The same method in the Glassfish implmentation is synchronized) > 2. The keyTo*Map fields of the org.jboss.security.auth.message.config.JBossAuthConfigFactory are not thread safe. > Nearly all methods of this class manipulate these, without any synchronization. > In this case I believe that changing those from HashMaps to ConcurrentHashMaps should be enough to avoid the worst of the races, while incurring a negligible performance penalty. > The methods that modify the maps should also be made synchronized, or rewritten to use the > atomic ConcurrentHashMaps operations. > A possible workaround is to add a synchronized(AuthConfigFactory.class) block around the JASPIC initialization code, where the JBossAuthConfigFactory methods are called. Of course this only works if every webapp on the server can be modified this way. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFLY-8431) Race conditions in JASPIC registration code

by István Tóth (JIRA)

[ https://issues.jboss.org/browse/WFLY-8431?page=com.atlassian.jira.plugin.... ] István Tóth edited comment on WFLY-8431 at 3/23/17 10:40 AM: ------------------------------------------------------------- Further analysis: In the above example the following code snippet registers the AuthConfiProvider: logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId; It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : 2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. was (Author: stoty2): Further analysis: In the above example the following code snippet registers the AuthConfiProvider: {{logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId;}} It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: {{2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu "}} The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : {{2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu "}} This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. > Race conditions in JASPIC registration code > ------------------------------------------- > > Key: WFLY-8431 > URL: https://issues.jboss.org/browse/WFLY-8431 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 10.1.0.Final > Environment: Centos 7 x86_64, with the included Java 8 environment > Reporter: István Tóth > Assignee: Darran Lofthouse > > javax.security.auth.message.config.AuthConfigFactory and > org.jboss.security.auth.message.config.JBossAuthConfigFactory > have race conditions. > 1. javax.security.auth.message.config.AuthConfigFactory#getFactory() has a race condition. The checking and creation of the _factory object is not atomic. > I think the best and simplest solution would be to simply make the getFactory() method synchronized. (The same method in the Glassfish implmentation is synchronized) > 2. The keyTo*Map fields of the org.jboss.security.auth.message.config.JBossAuthConfigFactory are not thread safe. > Nearly all methods of this class manipulate these, without any synchronization. > In this case I believe that changing those from HashMaps to ConcurrentHashMaps should be enough to avoid the worst of the races, while incurring a negligible performance penalty. > The methods that modify the maps should also be made synchronized, or rewritten to use the > atomic ConcurrentHashMaps operations. > A possible workaround is to add a synchronized(AuthConfigFactory.class) block around the JASPIC initialization code, where the JBossAuthConfigFactory methods are called. Of course this only works if every webapp on the server can be modified this way. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFLY-8431) Race conditions in JASPIC registration code

by István Tóth (JIRA)

[ https://issues.jboss.org/browse/WFLY-8431?page=com.atlassian.jira.plugin.... ] István Tóth edited comment on WFLY-8431 at 3/23/17 10:39 AM: ------------------------------------------------------------- Further analysis: In the above example the following code snippet registers the AuthConfiProvider: {{logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId;}} It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: {{2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu "}} The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : {{2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu "}} This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. was (Author: stoty2): Further analysis: In the above example the following code snippet registers the AuthConfiProvider: {{ logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId; }} It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: {{ 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " }} The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : {{ 2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " }} This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. > Race conditions in JASPIC registration code > ------------------------------------------- > > Key: WFLY-8431 > URL: https://issues.jboss.org/browse/WFLY-8431 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 10.1.0.Final > Environment: Centos 7 x86_64, with the included Java 8 environment > Reporter: István Tóth > Assignee: Darran Lofthouse > > javax.security.auth.message.config.AuthConfigFactory and > org.jboss.security.auth.message.config.JBossAuthConfigFactory > have race conditions. > 1. javax.security.auth.message.config.AuthConfigFactory#getFactory() has a race condition. The checking and creation of the _factory object is not atomic. > I think the best and simplest solution would be to simply make the getFactory() method synchronized. (The same method in the Glassfish implmentation is synchronized) > 2. The keyTo*Map fields of the org.jboss.security.auth.message.config.JBossAuthConfigFactory are not thread safe. > Nearly all methods of this class manipulate these, without any synchronization. > In this case I believe that changing those from HashMaps to ConcurrentHashMaps should be enough to avoid the worst of the races, while incurring a negligible performance penalty. > The methods that modify the maps should also be made synchronized, or rewritten to use the > atomic ConcurrentHashMaps operations. > A possible workaround is to add a synchronized(AuthConfigFactory.class) block around the JASPIC initialization code, where the JBossAuthConfigFactory methods are called. Of course this only works if every webapp on the server can be modified this way. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFLY-8431) Race conditions in JASPIC registration code

by István Tóth (JIRA)

[ https://issues.jboss.org/browse/WFLY-8431?page=com.atlassian.jira.plugin.... ] István Tóth commented on WFLY-8431: ----------------------------------- Further analysis: In the above example the following code snippet registers the AuthConfiProvider: {{ logger.info("about to register JASPI SAM."); AuthConfigFactory acf = AuthConfigFactory.getFactory(); logger.info("AuthConfigFactory acf:" + acf); String providerId = acf.registerConfigProvider(new NFAuthConfigProvider(), "HttpServlet", getAppContextID(context), "Netfone CRM authentication config provider"); logger.info("registered JASPI SAM: \"" + providerId +"\""); return providerId; }} It is used and called from a @Weblistener contextInitialized() on six deployments. The relevant log looks like this: {{ 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) about to register JASPI SAM. 2017-03-23 15:16:53,467 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:16:53,468 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) about to register JASPI SAM. 2017-03-23 15:16:53,469 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) about to register JASPI SAM. 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 70750ec0 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7178b09 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 7bb46782 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 73a9841c 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 70) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,470 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 61) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 75) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@ 65438534 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 69) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:16:53,471 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 72) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " }} The takeaway is this: The contextInitialized() calls are called at the same time by WF. The AuthConfigFactory.getFactory() method returns different instances for the different threads because of the first race condition. The log output from wildfly startup, when the above code snippet is enclosed in a synchronized(AuthConfigFactory.class) block {} : {{ 2017-03-23 15:15:22,044 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) about to register JASPI SAM. 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,047 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 104) registered JASPI SAM: "HttpServletnftccrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,047 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 77) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,051 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 104) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,055 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 58) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,058 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 66) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) about to register JASPI SAM. 2017-03-23 15:15:22,061 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,062 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 68) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,062 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 58) registered JASPI SAM: "HttpServletnfcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 66) registered JASPI SAM: "HttpServletnfugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) about to register JASPI SAM. 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,063 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 77) registered JASPI SAM: "HttpServletmhugyfelkaputeszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 66) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 58) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,066 INFO [se.jiderhamn.classloader.leak.prevention.ClassLoaderLeakPreventor] (ServerService Thread Pool -- 103) Initializing by loading some known offenders with leak safe classloader 2017-03-23 15:15:22,067 INFO [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 77) Initializing Mojarra 2.2.13.SP1 20160303-1204 for context '' 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) about to register JASPI SAM. 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) AuthConfigFactory acf:org.jboss.security.auth.message.config.JBossAuthConfigFactory@7a0df6e8 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 103) registered JASPI SAM: "HttpServletmhcrmteszt.sekhmet.netfone.hu " 2017-03-23 15:15:22,070 INFO [hu.netfone.security.jaspi.JaspicUtils] (ServerService Thread Pool -- 68) registered JASPI SAM: "HttpServletnftcugyfelkaputeszt.sekhmet.netfone.hu " }} This time the same AuthConfigFactory object is returned to all callers, and JASPIC authentication works. > Race conditions in JASPIC registration code > ------------------------------------------- > > Key: WFLY-8431 > URL: https://issues.jboss.org/browse/WFLY-8431 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 10.1.0.Final > Environment: Centos 7 x86_64, with the included Java 8 environment > Reporter: István Tóth > Assignee: Darran Lofthouse > > javax.security.auth.message.config.AuthConfigFactory and > org.jboss.security.auth.message.config.JBossAuthConfigFactory > have race conditions. > 1. javax.security.auth.message.config.AuthConfigFactory#getFactory() has a race condition. The checking and creation of the _factory object is not atomic. > I think the best and simplest solution would be to simply make the getFactory() method synchronized. (The same method in the Glassfish implmentation is synchronized) > 2. The keyTo*Map fields of the org.jboss.security.auth.message.config.JBossAuthConfigFactory are not thread safe. > Nearly all methods of this class manipulate these, without any synchronization. > In this case I believe that changing those from HashMaps to ConcurrentHashMaps should be enough to avoid the worst of the races, while incurring a negligible performance penalty. > The methods that modify the maps should also be made synchronized, or rewritten to use the > atomic ConcurrentHashMaps operations. > A possible workaround is to add a synchronized(AuthConfigFactory.class) block around the JASPIC initialization code, where the JBossAuthConfigFactory methods are called. Of course this only works if every webapp on the server can be modified this way. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-79) Test Classic search/Advanced search on middleware pages

by Sunil kondkar (JIRA)

Sunil kondkar created HAWKULARQE-79: --------------------------------------- Summary: Test Classic search/Advanced search on middleware pages Key: HAWKULARQE-79 URL: https://issues.jboss.org/browse/HAWKULARQE-79 Project: Hawkular QE Issue Type: Task Reporter: Sunil kondkar Assignee: Michael Foley Task to test classic/advanced search options on middleware pages except on topology page. Reference Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1403213 Tasks: * Review existing search test cases * Add any missing test cases * Execute test cases on CFME 5.8.0.7 * Report any bugs -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-79) Test Classic search/Advanced search on middleware pages

by Sunil kondkar (JIRA)

[ https://issues.jboss.org/browse/HAWKULARQE-79?page=com.atlassian.jira.plu... ] Sunil kondkar reassigned HAWKULARQE-79: --------------------------------------- Assignee: Sunil kondkar (was: Michael Foley) > Test Classic search/Advanced search on middleware pages > ------------------------------------------------------- > > Key: HAWKULARQE-79 > URL: https://issues.jboss.org/browse/HAWKULARQE-79 > Project: Hawkular QE > Issue Type: Task > Reporter: Sunil kondkar > Assignee: Sunil kondkar > > Task to test classic/advanced search options on middleware pages except on topology page. > Reference Bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1403213 > Tasks: > * Review existing search test cases > * Add any missing test cases > * Execute test cases on CFME 5.8.0.7 > * Report any bugs -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFLY-8432) Support socket-binding attribute "client-mapping" in messaging subsystem

by Jeff Mesnil (JIRA)

[ https://issues.jboss.org/browse/WFLY-8432?page=com.atlassian.jira.plugin.... ] Jeff Mesnil edited comment on WFLY-8432 at 3/23/17 10:30 AM: ------------------------------------------------------------- This causes issue when WildFly is behind a load balancer as the JMS client would use the host of the http-socket binding (localhost) instead going through the loadbalancer. If the config is: {code} <socket-binding name="http" port="${jboss.http.port:8080}"> <client-mapping destination-address="192.168.122.199" destination-port="8000"/> </socket-binding> {code} The http-connector transport configuration should use 192.168.122.199 and 8000 as host and port (instead of localhost and 8080). was (Author: jmesnil): This causes issue when WildFly is behind a load balancer as the JMS client would use the host of the http-socket binding (localhost) instead going through the loadbalancer. If the config is: {code} <socket-binding name="http" port="${jboss.http.port:8080}"> <client-mapping destination-address="192.168.122.199" destination-port="8000"/> </socket-binding> {code} The http-connector transport configuration should use 192.168.122.199 and 8000 as host and port (instead of localhost and 8080). > Support socket-binding attribute "client-mapping" in messaging subsystem > ------------------------------------------------------------------------ > > Key: WFLY-8432 > URL: https://issues.jboss.org/browse/WFLY-8432 > Project: WildFly > Issue Type: Bug > Components: JMS > Affects Versions: 10.1.0.Final > Reporter: Jörg Bäsner > Assignee: Jeff Mesnil > > The messaging subsystem doesn't take into account the "client-mapping" attribute of the <socket-binding> when creating a <http-connector>. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-70) Refactor existing CF-UI shell scripts for starting/stopping CFME on docker server

by Sunil kondkar (JIRA)

[ https://issues.jboss.org/browse/HAWKULARQE-70?page=com.atlassian.jira.plu... ] Sunil kondkar commented on HAWKULARQE-70: ----------------------------------------- Closing ticket as PR is merged > Refactor existing CF-UI shell scripts for starting/stopping CFME on docker server > --------------------------------------------------------------------------------- > > Key: HAWKULARQE-70 > URL: https://issues.jboss.org/browse/HAWKULARQE-70 > Project: Hawkular QE > Issue Type: Task > Reporter: Sunil kondkar > Assignee: Sunil kondkar > > Need of the task: > To make sure the CFME docker instance that we use on Jenkins nightly run has CFME containers always running, we use docker scripts. > These are existing shell scripts which are using old methods to create cfme docker container and then start the cfme instance which are irrelevant now: > These are located at: > https://github.com/Hawkular-QE/cf-ui/tree/master/scripts/automation/docker > This task is to: > 1) Modify the scripts (common.sh, start.sh) to: > -Stop the CFME instance > -Start the CFME instance > -Check if the URL is ready using curl > -Check the logs if CFME is started > 2) Git clone the modified scripts to CFME server > 3) Execute the scripts on CFME server > ( Use 'execute shell script' on Jenkins nightly job to ssh/git clone and execute script on CFME server) -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFLY-8432) Support socket-binding attribute "client-mapping" in messaging subsystem

by Jeff Mesnil (JIRA)

[ https://issues.jboss.org/browse/WFLY-8432?page=com.atlassian.jira.plugin.... ] Jeff Mesnil commented on WFLY-8432: ----------------------------------- This causes issue when WildFly is behind a load balancer as the JMS client would use the host of the http-socket binding (localhost) instead going through the loadbalancer. If the config is: {code} <socket-binding name="http" port="${jboss.http.port:8080}"> <client-mapping destination-address="192.168.122.199" destination-port="8000"/> </socket-binding> {code} The http-connector transport configuration should use 192.168.122.199 and 8000 as host and port (instead of localhost and 8080). > Support socket-binding attribute "client-mapping" in messaging subsystem > ------------------------------------------------------------------------ > > Key: WFLY-8432 > URL: https://issues.jboss.org/browse/WFLY-8432 > Project: WildFly > Issue Type: Bug > Components: JMS > Affects Versions: 10.1.0.Final > Reporter: Jörg Bäsner > Assignee: Jeff Mesnil > > The messaging subsystem doesn't take into account the "client-mapping" attribute of the <socket-binding> when creating a <http-connector>. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (HAWKULARQE-70) Refactor existing CF-UI shell scripts for starting/stopping CFME on docker server

by Sunil kondkar (JIRA)

[ https://issues.jboss.org/browse/HAWKULARQE-70?page=com.atlassian.jira.plu... ] Sunil kondkar resolved HAWKULARQE-70. ------------------------------------- Resolution: Done > Refactor existing CF-UI shell scripts for starting/stopping CFME on docker server > --------------------------------------------------------------------------------- > > Key: HAWKULARQE-70 > URL: https://issues.jboss.org/browse/HAWKULARQE-70 > Project: Hawkular QE > Issue Type: Task > Reporter: Sunil kondkar > Assignee: Sunil kondkar > > Need of the task: > To make sure the CFME docker instance that we use on Jenkins nightly run has CFME containers always running, we use docker scripts. > These are existing shell scripts which are using old methods to create cfme docker container and then start the cfme instance which are irrelevant now: > These are located at: > https://github.com/Hawkular-QE/cf-ui/tree/master/scripts/automation/docker > This task is to: > 1) Modify the scripts (common.sh, start.sh) to: > -Stop the CFME instance > -Start the CFME instance > -Check if the URL is ready using curl > -Check the logs if CFME is started > 2) Git clone the modified scripts to CFME server > 3) Execute the scripts on CFME server > ( Use 'execute shell script' on Jenkins nightly job to ssh/git clone and execute script on CFME server) -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira March 2017