元数据刷新死锁(spring-security-saml)

Posted

技术标签:

【中文标题】元数据刷新死锁(spring-security-saml)【英文标题】:Metadata refresh deadlock (spring-security-saml) 【发布时间】:2015-07-31 04:43:48 【问题描述】:

每隔几天,我们使用 Spring Security SAML 的 Web 应用就会出现死锁。刷新元数据时发生死锁。

我也尝试过从源代码中理解问题所在,但没有成功。

这是来自三个处于死锁状态的线程的堆栈跟踪:

1。 堆栈跟踪 元数据重新加载 [136] (BLOCKED)

   org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize line: 402 
   org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize line: 167 
   org.springframework.security.saml.metadata.MetadataManager.initializeProvider line: 398 
   org.springframework.security.saml.metadata.MetadataManager.refreshMetadata line: 246 
   org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata line: 86 
   org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run line: 1027 
   java.util.TimerThread.mainLoop line: 555 
   java.util.TimerThread.run line: 505

2。 堆栈跟踪 Timer-5 [135](等待中)

   sun.misc.Unsafe.park line: not available [native method]
   java.util.concurrent.locks.LockSupport.park line: 186 
   java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt line: 834 
   java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireQueued line: 867 
   java.util.concurrent.locks.AbstractQueuedSynchronizer.acquire line: 1197 
   java.util.concurrent.locks.ReentrantReadWriteLock$WriteLock.lock line: 945 
   org.springframework.security.saml.metadata.MetadataManager.setRefreshRequired line: 983 
   org.springframework.security.saml.metadata.MetadataManager$MetadataProviderObserver.onEvent line: 1047 
   org.opensaml.saml2.metadata.provider.ChainingMetadataProvider.emitChangeEvent line: 359 
   org.opensaml.saml2.metadata.provider.ChainingMetadataProvider$ContainedProviderObserver.onEvent line: 371 
   org.opensaml.saml2.metadata.provider.AbstractObservableMetadataProvider.emitChangeEvent line: 62 
   org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata line: 427 
   org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata line: 355 
   org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh line: 261 
   org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider$RefreshMetadataTask.run line: 513 
   java.util.TimerThread.mainLoop line: 555 
   java.util.TimerThread.run line: 505 

3。 堆栈跟踪 http-bio-7020-exec-548 [614](等待中)

   sun.misc.Unsafe.park line: not available [native method]
   java.util.concurrent.locks.LockSupport.park line: 186 
   java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt line: 834 
   java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireShared line: 964 
   java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireShared line: 1282 
   java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock line: 731 
   org.springframework.security.saml.metadata.CachingMetadataManager.getFromCacheOrUpdate line: 160 
   org.springframework.security.saml.metadata.CachingMetadataManager.getEntityDescriptor line: 116 
   org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalEntity line: 314 
   org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalContext line: 216 
   org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity line: 126 
   org.springframework.security.saml.SAMLEntryPoint.commence line: 146 
   org.springframework.security.saml.SAMLEntryPoint.doFilter line: 107 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.FilterChainProxy.doFilterInternal line: 192 
   org.springframework.security.web.FilterChainProxy.doFilter line: 166 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter line: 199 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.authentication.logout.LogoutFilter.doFilter line: 110 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal line: 50 
   org.springframework.web.filter.OncePerRequestFilter.doFilter line: 106 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.session.ConcurrentSessionFilter.doFilter line: 125 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter line: 87 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter line: 87 
   org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter line: 342 
   org.springframework.security.web.FilterChainProxy.doFilterInternal line: 192 
   org.springframework.security.web.FilterChainProxy.doFilter line: 160 
   org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate line: 343 
   org.springframework.web.filter.DelegatingFilterProxy.doFilter line: 260 
   org.apache.catalina.core.ApplicationFilterChain.internalDoFilter line: 241 
   org.apache.catalina.core.ApplicationFilterChain.doFilter line: 208 
   org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal line: 88 
   org.springframework.web.filter.OncePerRequestFilter.doFilter line: 106 
   org.apache.catalina.core.ApplicationFilterChain.internalDoFilter line: 241 
   org.apache.catalina.core.ApplicationFilterChain.doFilter line: 208 
   hr.isvu.studomat.web.filter.RequestLoggerFilter.proslijediObraduZahtjeva line: 126 
   hr.isvu.studomat.web.filter.RequestLoggerFilter.doFilter line: 57 
   org.apache.catalina.core.ApplicationFilterChain.internalDoFilter line: 241 
   org.apache.catalina.core.ApplicationFilterChain.doFilter line: 208 
   org.apache.catalina.core.StandardWrapperValve.invoke line: 220 
   org.apache.catalina.core.StandardContextValve.invoke line: 122 
   org.apache.catalina.authenticator.AuthenticatorBase.invoke line: 501 
   org.apache.catalina.core.StandardHostValve.invoke line: 171 
   org.apache.catalina.valves.ErrorReportValve.invoke line: 102 
   org.apache.catalina.valves.AccessLogValve.invoke line: 950 
   org.apache.catalina.core.StandardEngineValve.invoke line: 116 
   org.apache.catalina.connector.CoyoteAdapter.service line: 408 
   org.apache.coyote.http11.AbstractHttp11Processor.process line: 1040 
   org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process line: 607 
   org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run line: 314 
   java.util.concurrent.ThreadPoolExecutor.runWorker line: 1145 
   java.util.concurrent.ThreadPoolExecutor$Worker.run line: 615 
   org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run line: 61 
   java.lang.Thread.run line: 722 

我们使用:

    spring-security-saml2-core 1.0.0.RELEASE org.opensaml.opensaml 2.6.1

这是元数据刷新配置:

...
        <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of
                trust is here -->
        <bean id="metadata"
                class="org.springframework.security.saml.metadata.CachingMetadataManager">
                <constructor-arg>
                        <list>
                                <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                                        <constructor-arg>
                                                <value>https://www.example.org/saml2/idp/metadata.php</value>
                                        </constructor-arg>
                                        <constructor-arg>
                                                <value type="int">5000</value>
                                        </constructor-arg>
                                        <property name="parserPool" ref="parserPool" />
                                </bean>
                        </list>
                </constructor-arg>
        </bean>
...

我们如何解决这个死锁?

提前致谢, 丹尼斯

【问题讨论】:

【参考方案1】:

这是一个有效的问题,我在 Jira 中打开了一个 ticket 并推送了一个 fix to master。 snapshot repo 明天应该会有一个新的版本,你能重新测试一下吗?

【讨论】:

感谢您的修复。下周我会试试,几天后给出反馈。 通过生产中的这个修复,我们在一个多月内没有出现死锁问题。

以上是关于元数据刷新死锁(spring-security-saml)的主要内容,如果未能解决你的问题,请参考以下文章

Mysql 死锁过程及案例详解之元数据锁MetaData Lock

Mysql 死锁过程及案例详解之元数据锁MetaData Lock

在 Firebird 脚本中创建表会导致“元数据更新失败”并出现死锁

如果无效元数据可以做同样的事情,为啥需要在 Impala 中刷新

从 Spark 代码中使元数据/刷新 imapala 无效

Impala 中的无效元数据和刷新命令之间的区别?