[OFBIZ-1592] Database spikes lead to permanent user privilege loss - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: Trunk
Component/s: framework
Labels:
None

Description

We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss.

The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

permanent-security-loss.patch
22/Jan/08 18:06
2 kB
Leon Torres
OFBizSecurity.patch
24/Jan/08 16:45
1 kB
Adrian Crum

Activity

People

Assignee:: David E. Jones

Reporter:: Leon Torres

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 22/Jan/08 18:05

Updated:: 28/Jan/08 03:47

Resolved:: 28/Jan/08 03:47