Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10533

EnterpriseLdapManager is not thread-safe

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.3.0
    • Component/s: LDAP
    • Labels:
    • Story Points:
      2
    • Sprint:
      Sprint 91

      Description

      EnterpriseLdapManager contains a mutable ArrayList of LDAP connectors (cf. https://github.com/sonatype/nexus-internal/blob/5e34c8081fa48a0aeb5545c0c7f5aeb1d5d693a3/private/plugins/nexus-ldap-plugin/src/main/java/org/sonatype/nexus/ldap/internal/realms/EnterpriseLdapManager.java#L65). which is improperly managed for concurrent access.

      1. While getLdapConnectors() runs and rebuilds the list, nothing prevents/blocks a concurrent invocation of on(LdapClearCacheEvent), giving rise to concurrent add() and clear() invocations on a non-concurrent list
      2. While methods like authenticateUser() iterate over the returned array list from getLdapConnectors(), nothing blocks a concurrent invocation of on(LdapClearCacheEvent), causing ConcurrentModificationException or more cryptic failures from the iteration
      java.util.ConcurrentModificationException
              at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
              at java.util.ArrayList$Itr.next(ArrayList.java:851)
              at org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager.authenticateUser(EnterpriseLdapManager.java:105)
              at org.sonatype.nexus.ldap.LdapRealm.queryForAuthenticationInfo(LdapRealm.java:107)
              at org.apache.shiro.realm.ldap.AbstractLdapRealm.doGetAuthenticationInfo(AbstractLdapRealm.java:192)
              at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
              at org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator.doMultiRealmAuthentication(FirstSuccessfulModularRealmAuthenticator.java:49)
              at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
              at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
              at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
              at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
              at org.apache.shiro.nexus.NexusWebSecurityManager.login(NexusWebSecurityManager.java:62)
              at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
              at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
              at org.sonatype.nexus.rapture.internal.security.SessionAuthenticationFilter.onAccessDenied(SessionAuthenticationFilter.java:83)
      

        Attachments

          Activity

            People

            Assignee:
            jstephens Joseph Stephens
            Reporter:
            bentmann Benjamin Bentmann
            Last Updated By:
            Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title