[jboss-jira] [JBoss JIRA] (WFLY-8431) Race conditions in JASPIC registration code

István Tóth (Jira) issues at jboss.org
Tue Dec 18 09:11:01 EST 2018 

    [ https://issues.jboss.org/browse/WFLY-8431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13675845#comment-13675845 ] 

István Tóth commented on WFLY-8431:
-----------------------------------

Actually, I had two PRs in this ticket.

the fix for the more critical JBossAuthConfigFactory synchronization bug (at least this the bug that directly hits my code) is still not merged.

https://github.com/jboss/jboss-jaspi-api_spec/pull/4

Would you like me to update the PR to the trunk version?


> Race conditions in JASPIC registration code
> -------------------------------------------
>
>                 Key: WFLY-8431
>                 URL: https://issues.jboss.org/browse/WFLY-8431
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.1.0.Final
>         Environment: Centos 7 x86_64, with the included Java 8 environment
>            Reporter: István Tóth
>            Assignee: Darran Lofthouse
>            Priority: Major
>         Attachments: GetFactoryTestCase.java
>
>
> javax.security.auth.message.config.AuthConfigFactory and 
> org.jboss.security.auth.message.config.JBossAuthConfigFactory 
> have race conditions.
> 1. javax.security.auth.message.config.AuthConfigFactory#getFactory() has a race condition. The checking and creation of the _factory object is not atomic.
> I think the best and simplest solution would be to simply make the getFactory() method synchronized. (The same method in the Glassfish implmentation is synchronized)
> 2. The keyTo*Map fields of the org.jboss.security.auth.message.config.JBossAuthConfigFactory are not thread safe. 
> Nearly all methods of this class manipulate these, without any synchronization.
> In this case I believe that changing those from HashMaps to ConcurrentHashMaps should be enough to avoid the worst of the races, while incurring a  negligible performance penalty. 
> The methods that modify the maps should also be made synchronized, or rewritten to use the  
> atomic ConcurrentHashMaps operations.
> A possible workaround is to add a synchronized(AuthConfigFactory.class) block around the JASPIC initialization code, where the JBossAuthConfigFactory methods are called. Of course this only works if every webapp on the server can be modified this way.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list