Bug 45453

Summary: JDBCRealm.getRoles bad synchronization causes hangs w/ DIGEST authentication
Product: Tomcat 5 Reporter: Santtu Hyrkkö <santtu.hyrkko>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal Keywords: PatchAvailable
Priority: P2    
Version: 5.5.26   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: proposed patch for tomcat-6.0.16
proposed patch for tomcat-5.5.26

Description Santtu Hyrkkö 2008-07-22 02:25:02 UTC 
JDBCRealm.getRoles bad synchronization causes hangs w/ DIGEST authentication

JDBCRealm caches PreparedStatement preparedRoles. That, and missing synchronization in JDBCRealm and/or DigestAuthenticator allow two threads to call getRoles simultaneously so that T1 will do stmt.executeQuery() while T2 does stmt.setString(1, userName) plus another .executeQuery() on the same PreparedStatement object.

In the worst case, the JDBC driver gets confused by this, and blocks forever waiting for server response, causing all other threads that try to access DB hang. (This was observed with PostgreSQL 8.3-603-jdbc4 JDBC driver)

org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:451)
org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:350)
org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:254)
org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:631)
org.apache.catalina.realm.JDBCRealm.getPrincipal(JDBCRealm.java:596)
org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:399)
org.apache.catalina.authenticator.DigestAuthenticator.findPrincipal(DigestAuthenticator.java:283)
org.apache.catalina.authenticator.DigestAuthenticator.authenticate(DigestAuthenticator.java:176)
Comment 1 Santtu Hyrkkö 2008-07-23 00:54:05 UTC 
Created attachment 22301 [details]
proposed patch for tomcat-6.0.16

synchronize JDBCRealm.getPrincipal
Comment 2 Santtu Hyrkkö 2008-07-23 00:54:33 UTC 
Created attachment 22302 [details]
proposed patch for tomcat-5.5.26

synchronize JDBCRealm.getPrincipal()
Comment 3 Santtu Hyrkkö 2008-07-23 01:01:45 UTC 
The problem is also in 6.0.16
Comment 4 Mark Thomas 2008-07-29 08:00:47 UTC 
Thanks for the patch. It has been applied to trunk and proposed for 6.0.x and 5.5.x.
Note you will probably be better off using the DataSourceRealm.
Comment 5 Mark Thomas 2008-08-13 15:05:09 UTC 
This has been fixed in 6.0.x and will be included in 6.0.19 onwards.
Comment 6 Mark Thomas 2008-08-14 02:37:32 UTC 
This has been fixed 5.5.x and will be included in 5.5.27 onwards