Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0035164
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorrandom2017-02-06 08:352017-09-21 16:49
ReporteralostaleView Statuspublic 
Assigned Tocaristu 
PriorityurgentResolutionfixedFixed in Version3.0PR17Q4
StatusclosedFix in branchFixed in SCM revision282b45a9521e
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Toalostale
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0035164: AuthenticationManager.username thread unsafe

DescriptionAuthenticationManager class has a member username which is set and accessed by different methods [1].

An instance of AuthenticationManager is kept in the HttpSecureAppServlet as a member [2] of the servlet. Therefore username can be accessed in an inconsistent state.

[1] https://code.openbravo.com/erp/devel/pi/file/0c91a26dca81/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java#l83 [^]
[2] https://code.openbravo.com/erp/devel/pi/file/0c91a26dca81/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java#l83 [^]
Steps To ReproduceWould need to create an artificial test to reproduce this behavior, though it possibly is reproducible in real cases.
TagsmultiThread
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 0036808 newplatform AuthenticationManager should be stateless 
depends on defect 0036807 closedcaristu API Change: remove AuthenticationManager.username field 
blocks design defect 0034664 acknowledgedplatform multi thread unsafeties 

-  Notes
(0098883)
hgbot (developer)
2017-09-07 11:59

Repository: erp/devel/pi
Changeset: d21362467e8bd529b903fff261f950bf8a75c693
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Thu Sep 07 11:56:46 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/d21362467e8bd529b903fff261f950bf8a75c693 [^]

related to issue 35164: initial code improvements
  - Reorder the modifiers of the getAuthenticationManager method to comply with the Java Language Specification
  - Created new private constant for "#AD_SESSION_ID"
  - Use faster indexOf(char) method

---
M src/org/openbravo/authentication/AuthenticationManager.java
---
(0098912)
caristu (developer)
2017-09-08 13:18
edited on: 2017-09-08 13:38

Repository: erp/devel/pi
Changeset: 282b45a9521e
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Fri Sep 08 13:09:04 2017 +0200
URL: https://code.openbravo.com/erp/devel/pi/rev/282b45a9521e [^]

fixes issue 36807: remove AuthenticationManager.username field

---
M src/org/openbravo/authentication/AuthenticationManager.java
M src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
---

(0098963)
hgbot (developer)
2017-09-12 09:29

Repository: erp/devel/pi
Changeset: 93aa822ffff308bd1420fd928ba20c6157c579bc
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Tue Sep 12 09:21:01 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/93aa822ffff308bd1420fd928ba20c6157c579bc [^]

related to issue 35164: code review improvements

  - Initialize the ThreadLocal variable (loginName) on every call to authenticate. Thus, we ensure that its value is cleaned up when Tomcat reuses a thread.
  - Use new UserLoginInfo to keep the login credentials instead of using a map.

---
M src/org/openbravo/authentication/AuthenticationManager.java
M src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
---
(0098966)
hgbot (developer)
2017-09-12 09:34

Repository: erp/devel/pi
Changeset: efcc5da08f96ef95133a3bfef76f08a35282dcbe
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Tue Sep 12 09:33:36 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/efcc5da08f96ef95133a3bfef76f08a35282dcbe [^]

related to issue 35164: use correct param name in javadoc

---
M src/org/openbravo/authentication/AuthenticationManager.java
---
(0098972)
alostale (developer)
2017-09-12 10:57

reviewed + tested
(0099366)
hudsonbot (developer)
2017-09-21 16:49

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099370)
hudsonbot (developer)
2017-09-21 16:49

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099377)
hudsonbot (developer)
2017-09-21 16:49

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099378)
hudsonbot (developer)
2017-09-21 16:49

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2017-02-06 08:35 alostale New Issue
2017-02-06 08:35 alostale Assigned To => platform
2017-02-06 08:35 alostale Modules => Core
2017-02-06 08:35 alostale Triggers an Emergency Pack => No
2017-02-06 08:35 alostale Relationship added blocks 0034664
2017-02-06 08:35 alostale Tag Attached: multiThread
2017-02-06 08:35 alostale Status new => acknowledged
2017-09-07 11:50 caristu Assigned To platform => caristu
2017-09-07 11:50 caristu Status acknowledged => scheduled
2017-09-07 11:59 hgbot Checkin
2017-09-07 11:59 hgbot Note Added: 0098883
2017-09-07 19:09 caristu Relationship added depends on 0036807
2017-09-07 19:21 caristu Relationship added related to 0036808
2017-09-08 13:18 caristu Note Added: 0098912
2017-09-08 13:18 caristu Status scheduled => resolved
2017-09-08 13:18 caristu Fixed in SCM revision => 282b45a9521e
2017-09-08 13:18 caristu Resolution open => fixed
2017-09-08 13:18 caristu Note Edited: 0098912 View Revisions
2017-09-08 13:19 caristu Review Assigned To => alostale
2017-09-08 13:20 caristu Note Edited: 0098912 View Revisions
2017-09-08 13:32 caristu Fixed in SCM revision 282b45a9521e => 282b45a9521ehttps://code.openbravo.com/erp/devel/pi/rev/282b45a9521e [^]
2017-09-08 13:32 caristu Fixed in SCM revision 282b45a9521ehttps://code.openbravo.com/erp/devel/pi/rev/282b45a9521e [^] => https://code.openbravo.com/erp/devel/pi/rev/282b45a9521e [^]
2017-09-08 13:38 caristu Note Edited: 0098912 View Revisions
2017-09-12 09:29 hgbot Checkin
2017-09-12 09:29 hgbot Note Added: 0098963
2017-09-12 09:34 hgbot Checkin
2017-09-12 09:34 hgbot Note Added: 0098966
2017-09-12 10:57 alostale Note Added: 0098972
2017-09-12 10:57 alostale Status resolved => closed
2017-09-12 10:57 alostale Fixed in Version => 3.0PR17Q4
2017-09-21 16:49 hudsonbot Checkin
2017-09-21 16:49 hudsonbot Note Added: 0099366
2017-09-21 16:49 hudsonbot Checkin
2017-09-21 16:49 hudsonbot Note Added: 0099370
2017-09-21 16:49 hudsonbot Checkin
2017-09-21 16:49 hudsonbot Note Added: 0099377
2017-09-21 16:49 hudsonbot Checkin
2017-09-21 16:49 hudsonbot Note Added: 0099378


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker