[
https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562112#action_12562112
]
Adrian Crum commented on OFBIZ-1592:
------------------------------------
Leon,
Read your comment in the patch: "// only store in cache if we get something" -
so if a user isn't a member of a security group, a DB hit will occur every time
that user's permissions are checked.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: Si Chen
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can
> lead to permanent privilege loss for users trying to log in or do something
> during the spike. The loss lasts until a cache refresh or a restart. A
> symptom is customers not being able to log in to do a checkout, not being
> able to create new accounts, and backend users not being able to perform
> their duties due to privilege loss.
> The reason for the bug was found to be in the caching of
> UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such
> as during a lag spike, an empty list will be stored in the cache. Subsequent
> security checks will retrieve this empty list and never ask the database
> again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
