Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sorting in AuthorizationAdvisorProxyFactory should be thread-safe #16819

Closed
wbxz987 opened this issue Mar 25, 2025 · 4 comments · Fixed by #16834
Closed

Sorting in AuthorizationAdvisorProxyFactory should be thread-safe #16819

wbxz987 opened this issue Mar 25, 2025 · 4 comments · Fixed by #16834
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: bug A general bug
Milestone
6.3.x

Comments

@wbxz987
Copy link

wbxz987 commented Mar 25, 2025
edited
Loading

Using Spring Security 6.4.4 (via Spring Boot 3.4.4)

Describe the bug
When a endpoint annotated with @AuthorizeReturnObject returns an object that has an object authorized with e.g. @PreAuthorize, ConcurrentModificationException is thrown when multiple requests come in parallel.

To Reproduce
See the sample repository below for a reproducible test case.

Expected behavior
Parallel requests should be handled without errors.

Sample
https://github.com/wbxz987/ConcurrentModificationException

The sample repository contains a test, that simulates multiple requests coming in parallel. The test fails because a ConcurrentModificationException is thrown.

Caused by: java.util.ConcurrentModificationException
	at java.base/java.util.ArrayList.sort(ArrayList.java:1806)
	at org.springframework.core.annotation.AnnotationAwareOrderComparator.sort(AnnotationAwareOrderComparator.java:111)
	at org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.proxy(AuthorizationAdvisorProxyFactory.java:168)
	at org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor.invoke(AuthorizeReturnObjectMethodInterceptor.java:61)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:727)
	at org.example.concurrentmodificationexception.controller.Controller$$SpringCGLIB$$0.getModel(<generated>)

The test works when downgrading Spring Security to version 6.3.2, and breaks after this commit 0cab7c8
@wbxz987 wbxz987 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 25, 2025
@jzheaux jzheaux self-assigned this Mar 27, 2025
@jzheaux jzheaux added this to the 6.3.x milestone Mar 27, 2025
@ngocnhan-tran1996 ngocnhan-tran1996 mentioned this issue Mar 27, 2025
Merged
@jzheaux
Copy link
Contributor

jzheaux commented Mar 27, 2025

Thanks for the detailed report, @wbxz987! We'll target fixing this in the next maintenance release.

In the meantime, you can workaround this by providing your own proxy factory instance like so:

@Primary
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
static AuthorizationProxyFactory proxyFactory() {
	AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory(new ArrayList<>());
	List<AuthorizationAdvisor> advisors = new ArrayList<>();
	advisors.add(AuthorizationManagerBeforeMethodInterceptor.preAuthorize());
	advisors.add(AuthorizationManagerAfterMethodInterceptor.postAuthorize());
	advisors.add(new PreFilterAuthorizationMethodInterceptor());
	advisors.add(new PostFilterAuthorizationMethodInterceptor());
	advisors.add(new AuthorizeReturnObjectMethodInterceptor(proxyFactory));
	AnnotationAwareOrderComparator.sort(advisors);
	for (AuthorizationAdvisor advisor : advisors) {
		proxyFactory.addAdvisor(advisor);
	}
	return proxyFactory;
}

Will you please let me know if this addresses the issue for the time being?

@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 27, 2025
jzheaux pushed a commit to ngocnhan-tran1996/spring-security that referenced this issue Mar 27, 2025
@ngocnhan-tran1996 @jzheaux
Sort Advisors AfterSingletonsInstantiated
2417de3 
In order to make so that authorization advisors are sorted
only one time and also as part of the configuration lifecycle,
AuthorizationAdvisorProxyFactory now implements
SmartInitializingBean.

Closes spring-projectsgh-16819

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
jzheaux added a commit to ngocnhan-tran1996/spring-security that referenced this issue Mar 27, 2025
@jzheaux
Add Test
5b7baee 
Issue spring-projectsgh-16819
jzheaux added a commit to ngocnhan-tran1996/spring-security that referenced this issue Mar 27, 2025
@jzheaux
Sort Default Advisors and Added Advisors
df61e29 
This commit ensures that the default advisors and added advisors
are sorted in the event that this component is not being published
as a Spring bean.

Issue spring-projectsgh-16819
jzheaux added a commit to ngocnhan-tran1996/spring-security that referenced this issue Mar 27, 2025
@jzheaux
Sort Default Advisors and Added Advisors
ae72f13 
This commit ensures that the default advisors and added advisors
are sorted in the event that this component is not being published
as a Spring bean.

Issue spring-projectsgh-16819
jzheaux added a commit to ngocnhan-tran1996/spring-security that referenced this issue Mar 27, 2025
@jzheaux
Sort Default Advisors and Added Advisors
fc6e1af 
This commit ensures that the default advisors and added advisors
are sorted in the event that this component is not being published
as a Spring bean.

Issue spring-projectsgh-16819
jzheaux added a commit that referenced this issue Mar 27, 2025
@jzheaux
Add Test
15b9a50 
Issue gh-16819
jzheaux added a commit that referenced this issue Mar 27, 2025
@jzheaux
Sort Default Advisors and Added Advisors
456604a 
This commit ensures that the default advisors and added advisors
are sorted in the event that this component is not being published
as a Spring bean.

Issue gh-16819
@jzheaux jzheaux changed the title ConcurrentModificationException is thrown when multiple requests come in parallel to a endpoint annotated with AuthorizeReturnObject Sorting in AuthorizationAdvisorProxyFactory should be thread-safe Mar 27, 2025
@jzheaux jzheaux mentioned this issue Mar 27, 2025
Closed
@wbxz987
Copy link
Author

wbxz987 commented Mar 28, 2025
edited
Loading

Thanks for the quick fix @jzheaux and @ngocnhan-tran1996, looking forward for the release.

I updated the sample repository with the proposed workaround: https://github.com/wbxz987/ConcurrentModificationException/blob/main/src/main/java/org/example/concurrentmodificationexception/config/SecurityConfig.java#L38

  1. I modified the return type to be AuthorizationAdvisorProxyFactory instead of AuthorizationProxyFactory, because AuthorizeReturnObjectMethodInterceptor was still using AuthorizationAdvisorProxyFactory from AuthorizationProxyConfiguration. Is this correct?

  2. After modifying the return type, the AuthorizationAdvisorProxyFactory seems to have duplicated entries of AuthorizationAdvisor. I guess this is because AuthorizationProxyConfiguration adds the same advisors when initializing authorizeReturnObjectMethodInterceptor bean.

  3. The test still fails, with the same exception at the same location

Am i missing something?

@jzheaux
Copy link
Contributor

jzheaux commented Mar 29, 2025
edited
Loading

I see, my mistake, @wbxz987. I incorrectly anticipated that List.sort would only throw ConcurrentModificationException when it needed to make modifications; however, it appears to check for this any time List.sort is called, regardless if there are any changes.

What you can do instead is publish a thread safe version of the proxy like so:

@Component
@Primary
public class ThreadsafeAuthorizationProxyFactory implements AuthorizationProxyFactory {
	private AuthorizationAdvisorProxyFactory delegate;

	private final ReentrantLock lock = new ReentrantLock();

	@Override
	public Object proxy(Object object) {
		try {
			this.lock.lock();
			return this.delegate.proxy(object);
		} finally {
			this.lock.unlock();
		}
	}

	public void setDelegate(AuthorizationAdvisorProxyFactory delegate) {
		this.delegate = delegate;
	}
}

And then provide that proxy to an authorizeReturnObjectAdvisor like so:

@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
static Advisor authorizeReturnObjectAdvisor(ObjectProvider<AuthorizationAdvisor> provider, 
    ThreadsafeAuthorizationProxyFactory proxyFactory) {
    AuthorizationAdvisorProxyFactory delegate = new AuthorizationAdvisorProxyFactory(new ArrayList<>());
    provider.forEach(delegate::addAdvisor);
    AuthorizeReturnObjectMethodInterceptor interceptor = new AuthorizeReturnObjectMethodInterceptor(proxyFactory);
    delegate.addAdvisor(interceptor);
    proxyFactory.setDelegate(delegate);
    return interceptor;
}

I updated the provided sample with this change: wbxz987/ConcurrentModificationException#1

Does this solution work better?

@wbxz987
Copy link
Author

wbxz987 commented Mar 31, 2025

Yes, the workaround works perfectly. Thank you @jzheaux!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: bug A general bug
Projects
None yet
Milestone
6.3.x
Development

Successfully merging a pull request may close this issue.

Sorting in AuthorizationAdvisorProxyFactory should be thread-safe ngocnhan-tran1996/spring-security
2 participants
@jzheaux @wbxz987