You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacopo Cappellato (JIRA)" <ji...@apache.org> on 2008/01/25 06:21:34 UTC
[jira] Issue Comment Edited: (OFBIZ-1592) Database spikes lead to
permanent user privilege loss
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562364#action_12562364 ]
jacopoc edited comment on OFBIZ-1592 at 1/24/08 9:20 PM:
-------------------------------------------------------------------
Hi Leon,
here is the address to subscribe to the dev list:
dev-subscribe@ofbiz.apache.org
Jacopo
was (Author: jacopoc):
Hi Leaon,
here is the address to subscribe to the dev list:
dev-subscribe@ofbiz.apache.org
Jacopo
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.