Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.0.1
-
2
-
Sprint 91
Description
EnterpriseLdapManager contains a mutable ArrayList of LDAP connectors (cf. https://github.com/sonatype/nexus-internal/blob/5e34c8081fa48a0aeb5545c0c7f5aeb1d5d693a3/private/plugins/nexus-ldap-plugin/src/main/java/org/sonatype/nexus/ldap/internal/realms/EnterpriseLdapManager.java#L65). which is improperly managed for concurrent access.
- While getLdapConnectors() runs and rebuilds the list, nothing prevents/blocks a concurrent invocation of on(LdapClearCacheEvent), giving rise to concurrent add() and clear() invocations on a non-concurrent list
- While methods like authenticateUser() iterate over the returned array list from getLdapConnectors(), nothing blocks a concurrent invocation of on(LdapClearCacheEvent), causing ConcurrentModificationException or more cryptic failures from the iteration
java.util.ConcurrentModificationException
at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
at java.util.ArrayList$Itr.next(ArrayList.java:851)
at org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager.authenticateUser(EnterpriseLdapManager.java:105)
at org.sonatype.nexus.ldap.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:107)
at org.apache.shiro.realm.ldap.AbstractLdapRealm.doGetAuthenticationInfo(AbstractLdapRealm.java:192)
at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
at org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator.doMultiRealmAuthentication(FirstSuccessfulModularRealmAuthenticator.java:49)
at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
at org.apache.shiro.nexus.NexusWebSecurityManager.login(NexusWebSecurityManager.java:62)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
at org.sonatype.nexus.rapture.internal.security.SessionAuthenticationFilter.onAccessDenied(SessionAuthenticationFilter.java:83)