[
https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561899#action_12561899
]
Si Chen commented on OFBIZ-1592:
--------------------------------
If there are no objections I will commit it.
> Database spikes lead to permanent user privilege loss
> -----------------------------------------------------
>
> Key: OFBIZ-1592
> URL: https://issues.apache.org/jira/browse/OFBIZ-1592
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Leon Torres
> Priority: Critical
> Fix For: SVN trunk
>
> Attachments: permanent-security-loss.patch
>
>
> We found a critical bug in OFBiz security where temporary database spikes can
> lead to permanent privilege loss for users trying to log in or do something
> during the spike. The loss lasts until a cache refresh or a restart. A
> symptom is customers not being able to log in to do a checkout, not being
> able to create new accounts, and backend users not being able to perform
> their duties due to privilege loss.
> The reason for the bug was found to be in the caching of
> UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such
> as during a lag spike, an empty list will be stored in the cache. Subsequent
> security checks will retrieve this empty list and never ask the database
> again what the actual security groups are.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
