Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: None
Affects Version/s: 7.0.6.GA
Component/s: Security
Labels:
- caching
- eap7.1.0-defer
- ldap
- legacy

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1458837
Target Release:

7.0.z.GA
Git Pull Request:
https://github.com/jbossas/wildfly-core-eap/pull/383
Steps to Reproduce:
Hide

configure security realm to use cache with eviction by size strategy

<security-realm name="authn-by-search-time-3-1"> <authentication> <ldap connection="ldap-connection" base-dn="ou=People,dc=jboss,dc=org" recursive="true"> <cache eviction-time="30" max-cache-size="1" cache-failures="false"/> <username-filter attribute="uid"/> </ldap> </authentication> </security-realm>

configure http interface to be secured by this realm

<http-interface security-realm="authn-by-search-time-3-1"> <http-upgrade enabled="true"/> <socket-binding http="management-http"/> </http-interface>

access http://localhost:9990/console with existing user e.g. "jduke"

access http://localhost:9990/console with non existing user e.g. "test"

In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.
Show
configure security realm to use cache with eviction by size strategy <security-realm name= "authn-by-search-time-3-1" > <authentication> <ldap connection= "ldap-connection" base-dn= "ou=People,dc=jboss,dc=org" recursive= " true " > <cache eviction-time= "30" max-cache-size= "1" cache-failures= " false " /> <username-filter attribute= "uid" /> </ldap> </authentication> </security-realm> configure http interface to be secured by this realm <http- interface security-realm= "authn-by-search-time-3-1" > <http-upgrade enabled= " true " /> <socket-binding http= "management-http" /> </http- interface > access http://localhost:9990/console with existing user e.g. "jduke" access http://localhost:9990/console with non existing user e.g. "test" In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.

SFDC Cases Counter:
SFDC Cases Links:

Description

In case when cache is used for legacy LDAP security realm and any access to secured resource occures, then entry is added into cache even if user has not been authenticated correctly.

Note, in reproducer there is cache-failures=false
"cache-failures - This is a boolean that enables/disables the caching of failed searches. This has the potential for preventing an LDAP server from being repeatedly access by the same failed search, but it also has the potential to fill up the cache with searches for users that do not exist. This setting is particularly important for the authentication cache. " [1]

And even with cache-failures = false , non existing user "takes slot" in cache, thus this

effectively could make cache smaller, because valid entries could be evicted due to max-cache-size.
reduce benefit of LDAP cache and impacts performance in unpredictable manner.

Same behavior can be seen in 7.0.0.GA.

Attachments

Issue Links

clones

JBEAP-9391 Legacy ldap realm, entry for non existing user are cached

Verified

relates to

JBEAP-12370 [7.1] Legacy ldap realm, caching by access time doesn't "clear" timeout for already cached entry

Verified

Activity

People

Assignee:: Jiri Ondrusek

Reporter:: Jiri Ondrusek

Tester:: Martin Choma

QA Contact:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017/06/05 4:51 AM

Updated:: 2020/12/02 10:36 AM

Resolved:: 2020/12/02 10:36 AM