KEYCLOAK-4148 Instantiate XMLInputFactory in singleton-like manner

saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java

@@ -239,15 +239,10 @@ public class StaxParserUtil {
      * @return
      */
     public static XMLEventReader getXMLEventReader(InputStream is) {
-        XMLInputFactory xmlInputFactory = null;
+        XMLInputFactory xmlInputFactory;
         XMLEventReader xmlEventReader = null;
         try {
-            xmlInputFactory = getXMLInputFactory();
+            xmlInputFactory = XML_INPUT_FACTORY.get();
-            xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.TRUE);
-            xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
-            xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
-            xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE);
-
             xmlEventReader = xmlInputFactory.createXMLEventReader(is);
         } catch (Exception ex) {
             throw new RuntimeException(ex);
@@ -518,6 +513,13 @@ public class StaxParserUtil {
             throw new RuntimeException(logger.parserExpectedEndTag("</" + tag + ">.  Found </" + elementTag + ">"));
     }
 
+    private static final ThreadLocal<XMLInputFactory> XML_INPUT_FACTORY = new ThreadLocal<XMLInputFactory>() {
+        @Override
+        protected XMLInputFactory initialValue() {
+            return getXMLInputFactory();
+        }
+    };
+
     private static XMLInputFactory getXMLInputFactory() {
         boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
                 .equalsIgnoreCase("true");
@@ -526,7 +528,14 @@ public class StaxParserUtil {
             if (tccl_jaxp) {
                 SecurityActions.setTCCL(StaxParserUtil.class.getClassLoader());
             }
-            return XMLInputFactory.newInstance();
+            XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+
+            xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.TRUE);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE);
+
+            return xmlInputFactory;
         } finally {
             if (tccl_jaxp) {
                 SecurityActions.setTCCL(prevTCCL);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/ConcurrentAuthnRequestTest.java

@@ -0,0 +1,142 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.saml;
+
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.protocol.saml.SamlProtocol;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.services.resources.RealmsResource;
+import org.keycloak.testsuite.AbstractAuthTest;
+import org.keycloak.testsuite.util.SamlClient;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.Collection;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import javax.ws.rs.core.UriBuilder;
+import javax.ws.rs.core.UriBuilderException;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.protocol.HttpClientContext;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.util.EntityUtils;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.w3c.dom.Document;
+
+import static org.keycloak.testsuite.util.SamlClient.*;
+import static org.keycloak.testsuite.util.IOUtil.loadRealm;
+
+/**
+ *
+ * @author hmlnarik
+ */
+@Ignore
+public class ConcurrentAuthnRequestTest extends AbstractAuthTest {
+
+    private static final String REALM_NAME = "demo";
+
+    private static final String SAML_ASSERTION_CONSUMER_URL_SALES_POST = "http://localhost:8080/sales-post/";
+    private static final String SAML_CLIENT_ID_SALES_POST = "http://localhost:8081/sales-post/";
+
+    public static final int ITERATIONS = 10000;
+    public static final int CONCURRENT_THREADS = 5;
+
+    private static void loginRepeatedly(UserRepresentation user, URI samlEndpoint,
+      Document samlRequest, String relayState, Binding requestBinding) {
+        CloseableHttpResponse response = null;
+        SamlClient.RedirectStrategyWithSwitchableFollowRedirect strategy = new SamlClient.RedirectStrategyWithSwitchableFollowRedirect();
+        ExecutorService threadPool = Executors.newFixedThreadPool(CONCURRENT_THREADS);
+
+        try (CloseableHttpClient client = HttpClientBuilder.create().setRedirectStrategy(strategy).build()) {
+            HttpUriRequest post = requestBinding.createSamlRequest(samlEndpoint, relayState, samlRequest);
+            
+            Collection<Callable<Void>> futures = new LinkedList<>();
+            for (int i = 0; i < ITERATIONS; i ++) {
+                final int j = i;
+                Callable<Void> f = () -> {
+                    performLogin(post, samlEndpoint, relayState, samlRequest, response, client, user, strategy);
+                    return null;
+                };
+                futures.add(f);
+            }
+
+            threadPool.invokeAll(futures);
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    public static void performLogin(HttpUriRequest post, URI samlEndpoint, String relayState,
+      Document samlRequest, CloseableHttpResponse response, final CloseableHttpClient client,
+      UserRepresentation user,
+      RedirectStrategyWithSwitchableFollowRedirect strategy) {
+        try {
+            HttpClientContext context = HttpClientContext.create();
+            response = client.execute(post, context);
+
+            String loginPageText = EntityUtils.toString(response.getEntity(), "UTF-8");
+            response.close();
+
+            HttpUriRequest loginRequest = handleLoginPage(user, loginPageText);
+
+            strategy.setRedirectable(false);
+            response = client.execute(loginRequest, context);
+            response.close();
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        } finally {
+            if (response != null) {
+                EntityUtils.consumeQuietly(response.getEntity());
+                try { response.close(); } catch (IOException ex) { }
+            }
+        }
+    }
+
+    @Override
+    public void addTestRealms(List<RealmRepresentation> testRealms) {
+        testRealms.add(loadRealm("/adapter-test/keycloak-saml/testsaml.json"));
+    }
+
+    public AuthnRequestType createLoginRequestDocument(String issuer, String assertionConsumerURL, String realmName) {
+        return SamlClient.createLoginRequestDocument(issuer, assertionConsumerURL, getAuthServerSamlEndpoint(realmName));
+    }
+
+    private URI getAuthServerSamlEndpoint(String realm) throws IllegalArgumentException, UriBuilderException {
+        return RealmsResource
+          .protocolUrl(UriBuilder.fromUri(getAuthServerRoot()))
+          .build(realm, SamlProtocol.LOGIN_PROTOCOL);
+    }
+
+    private void testLogin(Binding requestBinding) throws Exception {
+        AuthnRequestType loginRep = createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, REALM_NAME);
+        Document samlRequest = SAML2Request.convert(loginRep);
+        loginRepeatedly(bburkeUser, getAuthServerSamlEndpoint(REALM_NAME), samlRequest, null, requestBinding);
+    }
+
+    @Test
+    public void testConcurrentPostLogins() throws Exception {
+        testLogin(Binding.POST);
+    }
+}