Bug 45453 - JDBCRealm.getRoles bad synchronization causes hangs w/ DIGEST authentication
Summary: JDBCRealm.getRoles bad synchronization causes hangs w/ DIGEST authentication
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.26
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2008-07-22 02:25 UTC by Santtu Hyrkkö
Modified: 2008-08-14 02:37 UTC (History)
0 users



Attachments
proposed patch for tomcat-6.0.16 (1.12 KB, patch)
2008-07-23 00:54 UTC, Santtu Hyrkkö
Details | Diff
proposed patch for tomcat-5.5.26 (1.21 KB, patch)
2008-07-23 00:54 UTC, Santtu Hyrkkö
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Santtu Hyrkkö 2008-07-22 02:25:02 UTC
JDBCRealm.getRoles bad synchronization causes hangs w/ DIGEST authentication

JDBCRealm caches PreparedStatement preparedRoles. That, and missing synchronization in JDBCRealm and/or DigestAuthenticator allow two threads to call getRoles simultaneously so that T1 will do stmt.executeQuery() while T2 does stmt.setString(1, userName) plus another .executeQuery() on the same PreparedStatement object.

In the worst case, the JDBC driver gets confused by this, and blocks forever waiting for server response, causing all other threads that try to access DB hang. (This was observed with PostgreSQL 8.3-603-jdbc4 JDBC driver)

org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:451)
org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:350)
org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:254)
org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:631)
org.apache.catalina.realm.JDBCRealm.getPrincipal(JDBCRealm.java:596)
org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:399)
org.apache.catalina.authenticator.DigestAuthenticator.findPrincipal(DigestAuthenticator.java:283)
org.apache.catalina.authenticator.DigestAuthenticator.authenticate(DigestAuthenticator.java:176)
Comment 1 Santtu Hyrkkö 2008-07-23 00:54:05 UTC
Created attachment 22301 [details]
proposed patch for tomcat-6.0.16

synchronize JDBCRealm.getPrincipal
Comment 2 Santtu Hyrkkö 2008-07-23 00:54:33 UTC
Created attachment 22302 [details]
proposed patch for tomcat-5.5.26

synchronize JDBCRealm.getPrincipal()
Comment 3 Santtu Hyrkkö 2008-07-23 01:01:45 UTC
The problem is also in 6.0.16
Comment 4 Mark Thomas 2008-07-29 08:00:47 UTC
Thanks for the patch. It has been applied to trunk and proposed for 6.0.x and 5.5.x.
Note you will probably be better off using the DataSourceRealm.
Comment 5 Mark Thomas 2008-08-13 15:05:09 UTC
This has been fixed in 6.0.x and will be included in 6.0.19 onwards.
Comment 6 Mark Thomas 2008-08-14 02:37:32 UTC
This has been fixed 5.5.x and will be included in 5.5.27 onwards