Fixed concurrent access to identity hash map with reentrant lock. (#9030

)
helidon-io · Jul 23, 2024 · 81436c5 · 81436c5
1 parent c9e91c6
commit 81436c5
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/microprofile/jwt-auth/src/main/java/io/helidon/microprofile/jwt/auth/JwtAuthProvider.java b/microprofile/jwt-auth/src/main/java/io/helidon/microprofile/jwt/auth/JwtAuthProvider.java
@@ -46,6 +46,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Supplier;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -145,6 +146,7 @@ public class JwtAuthProvider implements AuthenticationProvider, OutboundSecurity
     private final LazyValue<Jwk> defaultJwk;
     private final LazyValue<Jwk> defaultDecryptionJwk;
     private final Map<OutboundTarget, JwtOutboundTarget> targetToJwtConfig = new IdentityHashMap<>();
+    private final ReentrantLock targetToJwtConfigLock = new ReentrantLock();
     private final String expectedIssuer;
     private final String cookiePrefix;
     private final String decryptionKeyAlgorithm;
@@ -394,7 +396,13 @@ public OutboundSecurityResponse outboundSecurity(ProviderRequest providerRequest
                     Optional<OutboundTarget> maybeTarget = outboundConfig.findTarget(outboundEnv);
 
                     return maybeTarget.flatMap(target -> {
-                        JwtOutboundTarget jwtOutboundTarget = targetToJwtConfig.computeIfAbsent(target, this::toOutboundTarget);
+                        JwtOutboundTarget jwtOutboundTarget;
+                        try {
+                            targetToJwtConfigLock.lock();
+                            jwtOutboundTarget = targetToJwtConfig.computeIfAbsent(target, this::toOutboundTarget);
+                        } finally {
+                            targetToJwtConfigLock.unlock();
+                        }
 
                         if (null == jwtOutboundTarget.jwkKid) {
                             return Optional.of(OutboundSecurityResponse.builder()
@@ -418,8 +426,13 @@ public OutboundSecurityResponse outboundSecurity(ProviderRequest providerRequest
                         Optional<OutboundTarget> maybeTarget = outboundConfig.findTarget(outboundEnv);
 
                         return maybeTarget.flatMap(target -> {
-                            JwtOutboundTarget jwtOutboundTarget = targetToJwtConfig
-                                    .computeIfAbsent(target, this::toOutboundTarget);
+                            JwtOutboundTarget jwtOutboundTarget;
+                            try {
+                                targetToJwtConfigLock.lock();
+                                jwtOutboundTarget = targetToJwtConfig.computeIfAbsent(target, this::toOutboundTarget);
+                            } finally {
+                                targetToJwtConfigLock.unlock();
+                            }
 
                             if (null == jwtOutboundTarget.jwkKid) {
                                 // just propagate existing token