ARTEMIS-4352 Avod Deadlock in case the SecurityManager is reusing the Netty executor.
If the Security Manager is using Netty, and in particular the same Netty connection, you could run into a deadlock / starvation. This is particularly true in the Wildfly case where they reuse the same connection for everything via XNIO.
This commit is contained in:
Clebert Suconic
clebertsuconic
parent
36a20dbf76
commit
6ee27224a5
|
|
@ -48,6 +48,7 @@ import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
|
||||||
import org.apache.activemq.artemis.core.server.ServerSession;
|
import org.apache.activemq.artemis.core.server.ServerSession;
|
||||||
import org.apache.activemq.artemis.core.version.Version;
|
import org.apache.activemq.artemis.core.version.Version;
|
||||||
import org.apache.activemq.artemis.logs.AuditLogger;
|
import org.apache.activemq.artemis.logs.AuditLogger;
|
||||||
|
import org.apache.activemq.artemis.utils.actors.Actor;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
import java.lang.invoke.MethodHandles;
|
import java.lang.invoke.MethodHandles;
|
||||||
|
|
@ -67,6 +68,8 @@ public class ActiveMQPacketHandler implements ChannelHandler {
|
||||||
|
|
||||||
private final CoreProtocolManager protocolManager;
|
private final CoreProtocolManager protocolManager;
|
||||||
|
|
||||||
|
private final Actor<Packet> packetActor;
|
||||||
|
|
||||||
public ActiveMQPacketHandler(final CoreProtocolManager protocolManager,
|
public ActiveMQPacketHandler(final CoreProtocolManager protocolManager,
|
||||||
final ActiveMQServer server,
|
final ActiveMQServer server,
|
||||||
final Channel channel1,
|
final Channel channel1,
|
||||||
|
|
@ -78,10 +81,16 @@ public class ActiveMQPacketHandler implements ChannelHandler {
|
||||||
this.channel1 = channel1;
|
this.channel1 = channel1;
|
||||||
|
|
||||||
this.connection = connection;
|
this.connection = connection;
|
||||||
|
|
||||||
|
packetActor = new Actor<>(server.getExecutorFactory().getExecutor(), this::internalHandler);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void handlePacket(final Packet packet) {
|
public void handlePacket(final Packet packet) {
|
||||||
|
packetActor.act(packet);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void internalHandler(final Packet packet) {
|
||||||
byte type = packet.getType();
|
byte type = packet.getType();
|
||||||
|
|
||||||
if (AuditLogger.isAnyLoggingEnabled()) {
|
if (AuditLogger.isAnyLoggingEnabled()) {
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,116 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
* contributor license agreements. See the NOTICE file distributed with
|
||||||
|
* this work for additional information regarding copyright ownership.
|
||||||
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
* (the "License"); you may not use this file except in compliance with
|
||||||
|
* the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.activemq.artemis.tests.integration.security;
|
||||||
|
|
||||||
|
import javax.jms.Connection;
|
||||||
|
import javax.jms.ConnectionFactory;
|
||||||
|
import javax.jms.JMSException;
|
||||||
|
import javax.security.auth.Subject;
|
||||||
|
import java.lang.invoke.MethodHandles;
|
||||||
|
import java.lang.management.ManagementFactory;
|
||||||
|
import java.util.Set;
|
||||||
|
import java.util.concurrent.CountDownLatch;
|
||||||
|
import java.util.concurrent.TimeUnit;
|
||||||
|
|
||||||
|
import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection;
|
||||||
|
import org.apache.activemq.artemis.core.security.CheckType;
|
||||||
|
import org.apache.activemq.artemis.core.security.Role;
|
||||||
|
import org.apache.activemq.artemis.core.server.ActiveMQServer;
|
||||||
|
import org.apache.activemq.artemis.core.server.ActiveMQServers;
|
||||||
|
import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
|
||||||
|
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager5;
|
||||||
|
import org.apache.activemq.artemis.spi.core.security.jaas.NoCacheLoginException;
|
||||||
|
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
|
||||||
|
import org.apache.activemq.artemis.tests.util.CFUtil;
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
public class RecursiveNettySecurityTest extends ActiveMQTestBase {
|
||||||
|
|
||||||
|
private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
||||||
|
|
||||||
|
/*
|
||||||
|
* create session tests
|
||||||
|
*/
|
||||||
|
private static final String addressA = "addressA";
|
||||||
|
|
||||||
|
private static final String queueA = "queueA";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Before
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
super.setUp();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRecursiveSecurity() throws Exception {
|
||||||
|
RecursiveNettySecurityManager securityManager = new RecursiveNettySecurityManager();
|
||||||
|
ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultNettyConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
|
||||||
|
server.start();
|
||||||
|
|
||||||
|
ConnectionFactory connectionFactory = CFUtil.createConnectionFactory("CORE", "tcp://localhost:61616");
|
||||||
|
|
||||||
|
try {
|
||||||
|
Connection connection = connectionFactory.createConnection("first", "secret");
|
||||||
|
connection.close();
|
||||||
|
} catch (JMSException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
Assert.fail("should not throw exception");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class RecursiveNettySecurityManager implements ActiveMQSecurityManager5 {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean validateUser(String user, String password) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean validateUserAndRole(String user, String password, Set<Role> roles, CheckType checkType) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Subject authenticate(String user,
|
||||||
|
String password,
|
||||||
|
RemotingConnection remotingConnection,
|
||||||
|
String securityDomain) throws NoCacheLoginException {
|
||||||
|
NettyConnection nettyConnection = (NettyConnection) remotingConnection.getTransportConnection();
|
||||||
|
CountDownLatch latch = new CountDownLatch(1);
|
||||||
|
nettyConnection.getChannel().eventLoop().execute(latch::countDown);
|
||||||
|
try {
|
||||||
|
if (!latch.await(10, TimeUnit.SECONDS)) {
|
||||||
|
logger.warn("Cannot complete oepration in time", new Exception("timeout"));
|
||||||
|
throw new NoCacheLoginException("Can't complete operation in time");
|
||||||
|
}
|
||||||
|
} catch (InterruptedException e) {
|
||||||
|
logger.warn(e.getMessage(), e);
|
||||||
|
throw new NoCacheLoginException(e.getMessage());
|
||||||
|
}
|
||||||
|
return new Subject();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean authorize(Subject subject, Set<Role> roles, CheckType checkType, String address) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue