Skip to content

Fix a concurrency issue#152

Merged
nrktkt merged 1 commit into
blackdoor:masterfrom
longshorej:longshorej/fix-thread-safety-issue
Apr 6, 2026
Merged

Fix a concurrency issue#152
nrktkt merged 1 commit into
blackdoor:masterfrom
longshorej:longshorej/fix-thread-safety-issue

Conversation

@longshorej

@longshorej longshorej commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

Concurrent calls to Jwt.validate will often fail because of the use of a thread-unsafe instance from different threads.

This change ensures that Signature instances are not concurrently used between threads, by allocating a new one for each RsaAlg validate call.

java.security.Signature instances are not thread-safe.

Key points:

- The Signature object holds mutable internal state (e.g., initialized-for-sign/verify, accumulated data via update(...), etc.).
- The JCA/JDK docs and common practice assume one Signature instance per thread / per operation.
- You must not call update/sign/verify on the same instance concurrently from multiple threads.

Concurrent calls to `Jwt.validate` will often fail because of
the use of a thread-unsafe instance from different threads.

This change ensures that `Signature` instances are not
concurrently used between threads, by allocating a new one
for each RsaAlg validate call.
@nrktkt nrktkt merged commit 5b4b83d into blackdoor:master Apr 6, 2026
2 checks passed
@longshorej longshorej deleted the longshorej/fix-thread-safety-issue branch April 6, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants