[
https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David E. Jones closed OFBIZ-1592.
---------------------------------
Resolution: Fixed
Assignee: David E. Jones (was: Si Chen)
I agree that we shouldn't be caching an empty list when there is an error. I
don't agree that we should never cache an empty list, that would have pretty
annoying performance impact.
I've committed a variation of Adrian's patch in rev 615722 in the trunk and in
the release4.0 branch, well, there I got a conflict.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Assignee: David E. Jones
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can
> lead to permanent privilege loss for users trying to log in or do something
> during the spike. The loss lasts until a cache refresh or a restart. A
> symptom is customers not being able to log in to do a checkout, not being
> able to create new accounts, and backend users not being able to perform
> their duties due to privilege loss.
> The reason for the bug was found to be in the caching of
> UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such
> as during a lag spike, an empty list will be stored in the cache. Subsequent
> security checks will retrieve this empty list and never ask the database
> again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
