Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InMemoryWebSessionStore#changeSessionId makes blocking calls to UUID.randomUUID #29212

Closed
gourav opened this issue Sep 28, 2022 · 1 comment
Closed

InMemoryWebSessionStore#changeSessionId makes blocking calls to UUID.randomUUID #29212

gourav opened this issue Sep 28, 2022 · 1 comment
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
6.0.5

Comments

@gourav
Copy link

gourav commented Sep 28, 2022

While using blockhound to detect blocking operations in general, it was found for logout operation in reactive web support, InMemoryWebSessionStore makes a blocking call UUID.randomUUID via changeSessionId method call.

As evident from source, new session id generation would be performed on reactor thread.

reactor.blockhound.BlockingOperationError: Blocking call! java.io.FileInputStream#readBytes
	at java.io.FileInputStream.readBytes(FileInputStream.java) ~[?:?]
	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
	*__checkpoint ⇢ org.springframework.security.web.server.authentication.logout.LogoutWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.web.server.authentication.AuthenticationWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
	*__checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
	*__checkpoint ⇢ HTTP POST "/logout" [ExceptionHandlingWebHandler]
Original Stack Trace:
		at java.io.FileInputStream.readBytes(FileInputStream.java) ~[?:?]
		at java.io.FileInputStream.read(FileInputStream.java:276) ~[?:?]
		at java.io.FilterInputStream.read(FilterInputStream.java:132) ~[?:?]
		at sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:425) ~[?:?]
		at sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:528) ~[?:?]
		at sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:547) ~[?:?]
		at sun.security.provider.NativePRNG.engineNextBytes(NativePRNG.java:221) ~[?:?]
		at java.security.SecureRandom.nextBytes(SecureRandom.java:758) ~[?:?]
		at java.util.UUID.randomUUID(UUID.java:151) ~[?:?]
		at org.springframework.util.JdkIdGenerator.generateId(JdkIdGenerator.java:31) ~[spring-core-5.3.22.jar:5.3.22]
		at org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession.changeSessionId(InMemoryWebSessionStore.java:234) ~[spring-web-5.3.22.jar:5.3.22]
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 28, 2022
@rstoyanchev rstoyanchev added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Jan 24, 2023
@rstoyanchev rstoyanchev self-assigned this Jan 27, 2023
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 27, 2023
@rstoyanchev rstoyanchev added this to the 6.0.5 milestone Jan 27, 2023
@rstoyanchev
Copy link
Contributor

Similar to #24027 but when changeSessionId is called rather than when a new session is created.

@rstoyanchev rstoyanchev added type: bug A general bug and removed type: enhancement A general enhancement labels Jan 27, 2023
@rstoyanchev rstoyanchev changed the title InMemoryWebSessionStore makes blocking calls to UUID.randomUUID InMemoryWebSessionStore#changeSessionId makes blocking calls to UUID.randomUUID Jan 27, 2023
mdeinum pushed a commit to mdeinum/spring-framework that referenced this issue Jun 29, 2023
@rstoyanchev @mdeinum
Avoid blocking in InMemoryWebSessionStore#changeSessionId
ad2bf9b 
Closes spring-projectsgh-29212
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
6.0.5
Development

No branches or pull requests
3 participants
@rstoyanchev @spring-projects-issues @gourav