Database spikes lead to permanent user privilege loss -----------------------------------------------------
Key: OFBIZ-1592 URL: https://issues.apache.org/jira/browse/OFBIZ-1592 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: SVN trunk Reporter: Leon Torres Priority: Critical Fix For: SVN trunk Attachments: permanent-security-loss.patch We found a critical bug in OFBiz security where temporary database spikes can lead to permanent privilege loss for users trying to log in or do something during the spike. The loss lasts until a cache refresh or a restart. A symptom is customers not being able to log in to do a checkout, not being able to create new accounts, and backend users not being able to perform their duties due to privilege loss. The reason for the bug was found to be in the caching of UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such as during a lag spike, an empty list will be stored in the cache. Subsequent security checks will retrieve this empty list and never ask the database again what the actual security groups are. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.