[
https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Si Chen reassigned OFBIZ-1592:
------------------------------
Assignee: Si Chen
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can
> lead to permanent privilege loss for users trying to log in or do something
> during the spike. The loss lasts until a cache refresh or a restart. A
> symptom is customers not being able to log in to do a checkout, not being
> able to create new accounts, and backend users not being able to perform
> their duties due to privilege loss.
> The reason for the bug was found to be in the caching of
> UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such
> as during a lag spike, an empty list will be stored in the cache. Subsequent
> security checks will retrieve this empty list and never ask the database
> again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
