Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7148

Race Condition while handling symmetric key in SymmetricBindingHandler

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 3.1.7, 3.1.8
          • Fix Version/s: 3.1.9, 3.0.12, 3.2.0
          • Component/s: WS-* Components
          • Labels:
            None
          • Estimated Complexity:
            Unknown

            Description

            when using an asymmetricBinding, when requested in parallel, quite a few requests fail, where the client could not associate a symmetric key with the response.

            As it turned out, the symmetric key was stored temporarily in a cache using an id that is not unique at all.

            SymmetricBindingHandler.java
            // line 985 via 162
tokenStore.add(tempTok);

// line 182
tok = tokenStore.getToken(tokenId);

            This leads to a race condition if another thread reaches line 162 before the key is retrieved in 182 and the same id is used.

            In my case, the id was "_5002" consistently.

            We implemented a hack using a ThreadLocal based TokenStore, but I think the symmetric key should actually not be cached at all.

              Attachments

                Activity

                  People

                  • Assignee:
                    coheigea Colm O hEigeartaigh
                    Reporter:
                    MaxFichtelmann Max Fichtelmann
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: