CAS 5.1.2 ConcurrentModificationException at login

[Juan Quintanilla]

Hi,

We are running CAS 5.1.2 with Mongodb for ticketing and ldap for authentication and have been seeing the following error every so often during heavy load test which seems to give  500:Internal Server Error and a ConcurrentModificationException in the logs.   We have not done any changes to the login webflow so we were wondering if anybody has encountered something similar.

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'serviceAuthorizationCheck' of flow 'login'>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@223e18b6 expression = serviceAuthorizationCheck, resultExpression = [null]]>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.support.oauth.web.flow.OAuth20RegisteredServiceUIAction@21766ad7>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.support.oauth.web.flow.OAuth20RegisteredServiceUIAction@21766ad7; result = success>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@31103215>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.support.saml.web.flow.SamlIdPMetadataUIAction@5cd75d07>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.support.saml.web.flow.SamlIdPMetadataUIAction@5cd75d07; result = success>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction@7e7f326a>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction@7e7f326a; result = success>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to handle [org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@31103215 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause [java.util.ConcurrentModificationException]>

2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Rethrowing unhandled flow execution exception>

2019-01-31 14:53:35,959 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@31103215 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]']>

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@31103215 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]'

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

        at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

THanks!

Juan Quintanilla

[Andy Ng]

Hi Juan,

You are using an old version of CAS, your best bet is to upgrade to a more recent version. You can check the latest CAS release here: https://github.com/apereo/cas/releases

To minimized the change needed, use 5.3.7 would be Ok. 6.0.0 is better but you would need to change a fair bit in your enviornment (at least need to change to JDK11).

As for actually why this (i.e. ConcurrentModificationException) happen, I have search in the CAS PR and found the below: https://github.com/apereo/cas/pull/2649.

If your problem is the same as the above, then maybe your problem exists in 5.1.x and is fixed in 5.2.x?

Anyway, see if the above helps you!

Cheers!

- Andy