You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "David E. Jones (JIRA)" <ji...@apache.org> on 2008/01/28 04:49:34 UTC
[jira] Closed: (OFBIZ-1592) Database spikes lead to permanent user
privilege loss
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David E. Jones closed OFBIZ-1592.
---------------------------------
Resolution: Fixed
Assignee: David E. Jones (was: Si Chen)
I agree that we shouldn't be caching an empty list when there is an error. I don't agree that we should never cache an empty list, that would have pretty annoying performance impact.
I've committed a variation of Adrian's patch in rev 615722 in the trunk and in the release4.0 branch, well, there I got a conflict.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: David E. Jones
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.