Make HttpsJwks threadsafe
Thomas Zimmermann
Branch: zimmi/jose4j:threadsafe-https-jwks
Branch: b_c/jose4j:master
Merged
Merged pull request
Merged in zimmi/jose4j/threadsafe-https-jwks (pull request #13)
Merged in zimmi/jose4j/threadsafe-https-jwks (pull request #13)
Hi!
The Javadoc of HttpsJwks reads:
The keys are cached per {@code HttpsJwks} instance so your application will need to keep using the same instance, however is appropriate for that application, to get the benefit of the caching.However, HttpsJwks is not threadsafe: The
cachefield can be written to and read from different Threads without any happens-before relationship. This is a problem in typical web applications where every request is assigned to a Thread out of a shared pool. So I believe it's best to be threadsafe by default.Since the other fields are mutable and could be potentially altered after construction they need to be at least volatile as well. It looks ok now, but it's hard to imagine all the potential interactions.
I also added a Lock to avoid flooding the OP with requests from multiple threads that try to refresh at the same time.
I believe this is threadsafe now, but I'd love another opinion.
Oh, and thank you so much for this library. The lack of dependencies is great. :)