[jira] Created: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] Created: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
Database spikes lead to permanent user privilege loss
-----------------------------------------------------

                 Key: OFBIZ-1592
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: SVN trunk
            Reporter: Leon Torres
            Priority: Critical
             Fix For: SVN trunk
         Attachments: permanent-security-loss.patch

We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.

The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leon Torres updated OFBIZ-1592:
-------------------------------

    Attachment: permanent-security-loss.patch

This patch is known to fix the issue completely.


> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Assigned: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Si Chen reassigned OFBIZ-1592:
------------------------------

    Assignee: Si Chen

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561899#action_12561899 ]

Si Chen commented on OFBIZ-1592:
--------------------------------

If there are no objections I will commit it.

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561906#action_12561906 ]

Adrian Crum commented on OFBIZ-1592:
------------------------------------

I think the patch needs more work. At first glance it appears that there will be more DB hits for users who aren't in security groups.


> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561915#action_12561915 ]

Si Chen commented on OFBIZ-1592:
--------------------------------

Why do you think so?

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561922#action_12561922 ]

Leon Torres commented on OFBIZ-1592:
------------------------------------

Trying to avoid database hits lead to the problem in the first place.  We should rely on the database's native caching ability.

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561923#action_12561923 ]

Leon Torres commented on OFBIZ-1592:
------------------------------------

Also note if the user doesn't have any security groups, an empty list is returned and cached.  So it avoids DB hits for the case you stated Adrian. :)

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561965#action_12561965 ]

Jacopo Cappellato commented on OFBIZ-1592:
------------------------------------------

Can we move this discussion to the dev list?

Jacopo

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562112#action_12562112 ]

Adrian Crum commented on OFBIZ-1592:
------------------------------------

Leon,

Read your comment in the patch: "// only store in cache if we get something" - so if a user isn't a member of a security group, a DB hit will occur every time that user's permissions are checked.


> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adrian Crum updated OFBIZ-1592:
-------------------------------

    Attachment: OFBizSecurity.patch

Si & Leon - take a look at OFBizSecurity.patch.

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562158#action_12562158 ]

Leon Torres commented on OFBIZ-1592:
------------------------------------

Sorry Adrian, that patch you proposed does exactly the same thing.  Can someone else review it?

I'm not on the dev list at the moment, further comments should be on this issue.

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562160#action_12562160 ]

Adrian Crum commented on OFBIZ-1592:
------------------------------------

No, it doesn't do the same thing. Look again.


> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Issue Comment Edited: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562364#action_12562364 ]

jacopoc edited comment on OFBIZ-1592 at 1/24/08 9:20 PM:
-------------------------------------------------------------------

Hi Leon,

here is the address to subscribe to the dev list:

[hidden email]

Jacopo


      was (Author: jacopoc):
    Hi Leaon,

here is the address to subscribe to the dev list:

[hidden email]

Jacopo

 

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12562364#action_12562364 ]

Jacopo Cappellato commented on OFBIZ-1592:
------------------------------------------

Hi Leaon,

here is the address to subscribe to the dev list:

[hidden email]

Jacopo


> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: Si Chen
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Closed: (OFBIZ-1592) Database spikes lead to permanent user privilege loss

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David E. Jones closed OFBIZ-1592.
---------------------------------

    Resolution: Fixed
      Assignee: David E. Jones  (was: Si Chen)

I agree that we shouldn't be caching an empty list when there is an error. I don't agree that we should never cache an empty list, that would have pretty annoying performance impact.

I've committed a variation of Adrian's patch in rev 615722 in the trunk and in the release4.0 branch, well, there I got a conflict.

> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
>                 Key: OFBIZ-1592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1592
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Leon Torres
>            Assignee: David E. Jones
>            Priority: Critical
>             Fix For: SVN trunk
>
>         Attachments: OFBizSecurity.patch, permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike.  The loss lasts until a cache refresh or a restart.  A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.
> The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity.  When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache.  Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.