Database spikes lead to permanent user privilege loss
-----------------------------------------------------
Key: OFBIZ-1592
URL: https://issues.apache.org/jira/browse/OFBIZ-1592
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk
Reporter: Leon Torres
Priority: Critical
Fix For: SVN trunk
Attachments: permanent-security-loss.patch
We found a critical bug in OFBiz security where temporary database spikes can
lead to permanent privilege loss for users trying to log in or do something
during the spike. The loss lasts until a cache refresh or a restart. A
symptom is customers not being able to log in to do a checkout, not being able
to create new accounts, and backend users not being able to perform their
duties due to privilege loss.
The reason for the bug was found to be in the caching of UserLoginSecurityGroup
in OFBizSecurity. When there's an SQL exception, such as during a lag spike,
an empty list will be stored in the cache. Subsequent security checks will
retrieve this empty list and never ask the database again what the actual
security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
