search

LLG20111699 / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

AbstractNonceVerifier is not thread safe. #75

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Load test with multiple concurrent users logging in and out every second
2.
3.

What is the expected output? What do you see instead?
All users should be successfully authenticated.
However, periodically two or more users will fail to log in.
The maximum supported concurrent users for us is currently around 5. With 
the fix below we are able to easily support over 100 concurrent users.

What version of the product are you using? On what operating system?
0.9.3, Java 1.5, WinXP or Solaris

Please provide any additional information below.
The problem is caused because SimpleDateFormat is not thread safe.
The class org.openid4java.consumer.AbstractNonceVerifier declares a 
variable of type InternetDateFormat which uses the SimpleDateFormat.

This variable is used in this class and in the derived class. The method 
in the derived class is synchronized but the method in 
AbstractNonceVerifier is not synchronized. 

Solution
Update org.openid4java.consumer.AbstractNonceVerifier at line 48 of the 
trunk, set the method to be syncrhonized:
public synchronized int seen(String opUrl, String nonce)

Original issue reported on code.google.com by mike.ne...@gmail.com on 24 Nov 2008 at 9:36

GoogleCodeExporter commented 9 years ago 
This is checked in as rev521. Thank you!

Original comment by Johnny.B...@gmail.com on 1 Jan 2009 at 9:02