Rollback: Don't save AdminToken user token in CTS in server mode (acc…

…ess denied cross-node api calls) (#716)
OpenIdentityPlatform · Jan 30, 2024 · b37cf97 · b37cf97
1 parent dbc77d0
commit b37cf97
Showing 1 changed file with 19 additions and 29 deletions.
diff --git a/openam-core/src/main/java/com/sun/identity/security/AdminTokenAction.java b/openam-core/src/main/java/com/sun/identity/security/AdminTokenAction.java
@@ -39,12 +39,9 @@
 import com.sun.identity.authentication.internal.AuthPrincipal;
 import com.sun.identity.common.ShutdownManager;
 import com.sun.identity.shared.debug.Debug;
-import org.forgerock.util.thread.listener.ShutdownListener;
 
 import java.security.PrivilegedAction;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
+
 
 /**
  * The class is used to perform privileged operations using
@@ -65,11 +62,9 @@
  * <code>com.iplanet.am.service.secret</code> in
  * <code>AMConfig.properties</code>. If so, we will generate single sign on
  * token based on the user name and secret.
- *
  * Note: Java security permissions check for OpenAM can be enabled
  * by setting the property <code>com.sun.identity.security.checkcaller</code> to
  * true in <code>AMConfig.properties</code> file.
- *
  * </PRE>
  *
  * 
@@ -93,7 +88,7 @@ public class AdminTokenAction implements PrivilegedAction<SSOToken> {
     /**
      * Singleton instance.
      */
-    private static AdminTokenAction instance;
+    private static volatile AdminTokenAction instance;
 
     private final SSOTokenManager tokenManager;
     private SSOToken appSSOToken;
@@ -127,12 +122,7 @@ public static AdminTokenAction getInstance() {
      */
     private AdminTokenAction() throws SSOException {
         tokenManager = SSOTokenManager.getInstance();
-        ShutdownManager.getInstance().addApplicationSSOTokenDestroyer(new ShutdownListener() {
-            @Override
-            public void shutdown() {
-                AdminTokenAction.reset();
-            }
-        });
+        ShutdownManager.getInstance().addApplicationSSOTokenDestroyer(AdminTokenAction::reset);
         validateSession = SystemProperties.getAsBoolean(VALIDATE_SESSION);
    }
 
@@ -144,15 +134,10 @@ public void shutdown() {
     public void authenticationInitialized() {
         authInitialized = true;
         // Generate the DPro's SSOToken
-        if (SystemProperties.isServerMode()) { //use in server first internalAppSSOToken (without CTS)
-        	appSSOToken = internalAppSSOToken;
-        }else {
-        	appSSOToken = getSSOToken();
-        }
+        appSSOToken = getSSOToken();
         if (debug.messageEnabled()) {
             debug.message("AdminTokenAction:authenticationInit " +
-                    "called. AppSSOToken className=" + (String)
-                    ((appSSOToken == null) ? "null" :
+                    "called. AppSSOToken className=" + ((appSSOToken == null) ? "null" :
                             appSSOToken.getClass().getName()));
         }
     }
@@ -196,7 +181,7 @@ private void resetInstance() {
      * @see java.security.PrivilegedAction#run()
      */
     public SSOToken run() {
-        SSOToken answer = null;
+        SSOToken answer;
         // Check if we have a valid cached SSOToken
         if (appSSOToken != null) {
         	if(tokenManager.isValidToken(appSSOToken)) {
@@ -229,16 +214,21 @@ public SSOToken run() {
         		internalAppSSOToken=null;
         	}
         }
-    	answer = getSSOToken();
-        if (answer != null) {
-            if (!SystemProperties.isServerMode() || authInitialized) {
-                appSSOToken = answer;
+        synchronized (this) {
+            if (appSSOToken==null) {
+                answer = getSSOToken();
+                if (answer != null) {
+                    if (!SystemProperties.isServerMode() || authInitialized) {
+                        appSSOToken = answer;
+                    }
+                    return answer;
+                } else if (debug.messageEnabled()) {
+                    debug.message("AdminTokenAction::run Unable to get SSOToken from serverconfig.xml");
+                }
+            }else {
+                return appSSOToken;
             }
-            return answer;
-        } else if (debug.messageEnabled()) {
-            debug.message("AdminTokenAction::run Unable to get SSOToken from serverconfig.xml");
         }
-
         // Check for configured Application Token Provider in AMConfig.properties
         String appTokenProviderName = SystemProperties.get(ADMIN_TOKEN_PROVIDER);
         if (appTokenProviderName != null) {