You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Leon Torres (JIRA)" <ji...@apache.org> on 2008/01/22 19:06:38 UTC
[jira] Created: (OFBIZ-1592) Database spikes lead to permanent user
privilege loss
Database spikes lead to permanent user privilege loss
-----------------------------------------------------
Key: OFBIZ-1592
URL: https://issues.apache.org/jira/browse/OFBIZ-1592
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk
Reporter: Leon Torres
Priority: Critical
Fix For: SVN trunk
Attachments: permanent-security-loss.patch
We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Si Chen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Si Chen reassigned OFBIZ-1592:
------------------------------
Assignee: Si Chen
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Leon Torres (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561923#action_12561923 ]
Leon Torres commented on OFBIZ-1592:
------------------------------------
Also note if the user doesn't have any security groups, an empty list is returned and cached. So it avoids DB hits for the case you stated Adrian. :)
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Jacopo Cappellato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561965#action_12561965 ]
Jacopo Cappellato commented on OFBIZ-1592:
------------------------------------------
Can we move this discussion to the dev list?
Jacopo
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-1592) Database spikes lead to permanent user
privilege loss
Posted by "Leon Torres (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leon Torres updated OFBIZ-1592:
-------------------------------
Attachment: permanent-security-loss.patch
This patch is known to fix the issue completely.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562160#action_12562160 ]
Adrian Crum commented on OFBIZ-1592:
------------------------------------
No, it doesn't do the same thing. Look again.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Leon Torres (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561922#action_12561922 ]
Leon Torres commented on OFBIZ-1592:
------------------------------------
Trying to avoid database hits lead to the problem in the first place. We should rely on the database's native caching ability.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Leon Torres (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562158#action_12562158 ]
Leon Torres commented on OFBIZ-1592:
------------------------------------
Sorry Adrian, that patch you proposed does exactly the same thing. Can someone else review it?
I'm not on the dev list at the moment, further comments should be on this issue.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-1592) Database spikes lead to permanent user
privilege loss
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adrian Crum updated OFBIZ-1592:
-------------------------------
Attachment: OFBizSecurity.patch
Si & Leon - take a look at OFBizSecurity.patch.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-1592) Database spikes lead to permanent user
privilege loss
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David E. Jones closed OFBIZ-1592.
---------------------------------
Resolution: Fixed
Assignee: David E. Jones (was: Si Chen)
I agree that we shouldn't be caching an empty list when there is an error. I don't agree that we should never cache an empty list, that would have pretty annoying performance impact.
I've committed a variation of Adrian's patch in rev 615722 in the trunk and in the release4.0 branch, well, there I got a conflict.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: David E. Jones
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561906#action_12561906 ]
Adrian Crum commented on OFBIZ-1592:
------------------------------------
I think the patch needs more work. At first glance it appears that there will be more DB hits for users who aren't in security groups.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Si Chen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561899#action_12561899 ]
Si Chen commented on OFBIZ-1592:
--------------------------------
If there are no objections I will commit it.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Si Chen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561915#action_12561915 ]
Si Chen commented on OFBIZ-1592:
--------------------------------
Why do you think so?
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Jacopo Cappellato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562364#action_12562364 ]
Jacopo Cappellato commented on OFBIZ-1592:
------------------------------------------
Hi Leaon,
here is the address to subscribe to the dev list:
dev-subscribe@ofbiz.apache.org
Jacopo
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-1592) Database spikes lead to
permanent user privilege loss
Posted by "Jacopo Cappellato (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562364#action_12562364 ]
jacopoc edited comment on OFBIZ-1592 at 1/24/08 9:20 PM:
-------------------------------------------------------------------
Hi Leon,
here is the address to subscribe to the dev list:
dev-subscribe@ofbiz.apache.org
Jacopo
was (Author: jacopoc):
Hi Leaon,
here is the address to subscribe to the dev list:
dev-subscribe@ofbiz.apache.org
Jacopo
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent
user privilege loss
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562112#action_12562112 ]
Adrian Crum commented on OFBIZ-1592:
------------------------------------
Leon,
Read your comment in the patch: "// only store in cache if we get something" - so if a user isn't a member of a security group, a DB hit will occur every time that user's permissions are checked.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.