Ensure matches is not called before initialization

philwebb · philwebb · commit 1ceb96f9f264 · 2019-09-21T12:29:46.000-07:00
Update `ApplicationContextRequestMatcher` to ensure that the `matches` method is never called before `initialized`. This fixes an issue accidentally introduced in commit 5938ca7 where concurrent calls to `matches` could trigger unexpected errors due to the fact that the second call proceeded before the `initialized` method had returned. Fixes gh-18211
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java
@@ -16,7 +16,6 @@
 
 package org.springframework.boot.security.servlet;
 
-import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Supplier;
 
 import javax.servlet.http.HttpServletRequest;
@@ -44,7 +43,9 @@ public abstract class ApplicationContextRequestMatcher<C> implements RequestMatc
 
 	private final Class<? extends C> contextClass;
 
-	private final AtomicBoolean initialized = new AtomicBoolean(false);
+	private volatile boolean initialized;
+
+	private final Object initializeLock = new Object();
 
 	public ApplicationContextRequestMatcher(Class<? extends C> contextClass) {
 		Assert.notNull(contextClass, "Context class must not be null");
@@ -59,8 +60,13 @@ public final boolean matches(HttpServletRequest request) {
 			return false;
 		}
 		Supplier<C> context = () -> getContext(webApplicationContext);
-		if (this.initialized.compareAndSet(false, true)) {
-			initialized(context);
+		if (!this.initialized) {
+			synchronized (this.initializeLock) {
+				if (!this.initialized) {
+					initialized(context);
+					this.initialized = true;
+				}
+			}
 		}
 		return matches(request, context);
 	}
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/security/servlet/ApplicationContextRequestMatcherTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/security/servlet/ApplicationContextRequestMatcherTests.java
@@ -16,6 +16,10 @@
 
 package org.springframework.boot.security.servlet;
 
+import java.lang.Thread.UncaughtExceptionHandler;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Supplier;
 
 import javax.servlet.http.HttpServletRequest;
@@ -26,6 +30,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
+import org.springframework.util.ReflectionUtils;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.StaticWebApplicationContext;
 
@@ -105,6 +110,31 @@ protected boolean matches(HttpServletRequest request, Supplier<ApplicationContex
 		assertThat(matcher.matches(request)).isFalse();
 	}
 
+	@Test // gh-18211
+	public void matchesWhenConcurrentlyCalledWaitsForInitialize() {
+		ConcurrentApplicationContextRequestMatcher matcher = new ConcurrentApplicationContextRequestMatcher();
+		StaticWebApplicationContext context = createWebApplicationContext();
+		Runnable target = () -> matcher.matches(new MockHttpServletRequest(context.getServletContext()));
+		List<Thread> threads = new ArrayList<>();
+		AssertingUncaughtExceptionHandler exceptionHandler = new AssertingUncaughtExceptionHandler();
+		for (int i = 0; i < 2; i++) {
+			Thread thread = new Thread(target);
+			thread.setUncaughtExceptionHandler(exceptionHandler);
+			threads.add(thread);
+		}
+		threads.forEach(Thread::start);
+		threads.forEach(this::join);
+		exceptionHandler.assertNoExceptions();
+	}
+
+	private void join(Thread thread) {
+		try {
+			thread.join(1000);
+		}
+		catch (InterruptedException ex) {
+		}
+	}
+
 	private StaticWebApplicationContext createWebApplicationContext() {
 		StaticWebApplicationContext context = new StaticWebApplicationContext();
 		MockServletContext servletContext = new MockServletContext();
@@ -160,4 +190,47 @@ public Supplier<C> getProvidedContext() {
 
 	}
 
+	static class ConcurrentApplicationContextRequestMatcher extends ApplicationContextRequestMatcher<Object> {
+
+		ConcurrentApplicationContextRequestMatcher() {
+			super(Object.class);
+		}
+
+		private AtomicBoolean initialized = new AtomicBoolean();
+
+		@Override
+		protected void initialized(Supplier<Object> context) {
+			try {
+				Thread.sleep(200);
+			}
+			catch (InterruptedException ex) {
+			}
+			this.initialized.set(true);
+		}
+
+		@Override
+		protected boolean matches(HttpServletRequest request, Supplier<Object> context) {
+			assertThat(this.initialized.get()).isTrue();
+			return true;
+		}
+
+	}
+
+	private static class AssertingUncaughtExceptionHandler implements UncaughtExceptionHandler {
+
+		private volatile Throwable ex;
+
+		@Override
+		public void uncaughtException(Thread thead, Throwable ex) {
+			this.ex = ex;
+		}
+
+		public void assertNoExceptions() {
+			if (this.ex != null) {
+				ReflectionUtils.rethrowRuntimeException(this.ex);
+			}
+		}
+
+	}
+
 }
