ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adrian Crum (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss
Date Thu, 24 Jan 2008 01:02:40 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561906#action_12561906

Adrian Crum commented on OFBIZ-1592:

I think the patch needs more work. At first glance it appears that there will be more DB hits
for users who aren't in security groups.

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>         Attachments: permanent-security-loss.patch
> We found a critical bug in OFBiz security where temporary database spikes can lead to
permanent privilege loss for users trying to log in or do something during the spike.  The
loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log
in to do a checkout, not being able to create new accounts, and backend users not being able
to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.
 When there's an SQL exception, such as during a lag spike, an empty list will be stored in
the cache.  Subsequent security checks will retrieve this empty list and never ask the database
again what the actual security groups are. 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message