[ https://issues.apache.org/jira/browse/OFBIZ-1592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adrian Crum updated OFBIZ-1592: ------------------------------- Attachment: OFBizSecurity.patch Si & Leon - take a look at OFBizSecurity.patch. > Database spikes lead to permanent user privilege loss > ----------------------------------------------------- > > Key: OFBIZ-1592 > URL: https://issues.apache.org/jira/browse/OFBIZ-1592 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Leon Torres > Assignee: Si Chen > Priority: Critical > Fix For: SVN trunk > > Attachments: OFBizSecurity.patch, permanent-security-loss.patch > > > We found a critical bug in OFBiz security where temporary database spikes can > lead to permanent privilege loss for users trying to log in or do something > during the spike. The loss lasts until a cache refresh or a restart. A > symptom is customers not being able to log in to do a checkout, not being > able to create new accounts, and backend users not being able to perform > their duties due to privilege loss. > The reason for the bug was found to be in the caching of > UserLoginSecurityGroup in OFBizSecurity. When there's an SQL exception, such > as during a lag spike, an empty list will be stored in the cache. Subsequent > security checks will retrieve this empty list and never ask the database > again what the actual security groups are. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.