Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9391

Legacy ldap realm, entry for non existing user are cached

XMLWordPrintable

    • Hide
      • configure security realm to use cache with eviction by size strategy 
                    <security-realm name="authn-by-search-time-3-1">
                <authentication>
                    <ldap connection="ldap-connection" base-dn="ou=People,dc=jboss,dc=org" recursive="true">
                        <cache eviction-time="30" max-cache-size="1" cache-failures="false"/>
                        <username-filter attribute="uid"/>
                    </ldap>
                </authentication>
            </security-realm>
      • configure http interface to be secured by this realm 
                    <http-interface security-realm="authn-by-search-time-3-1">
                <http-upgrade enabled="true"/>
                <socket-binding http="management-http"/>
            </http-interface>
      • access http://localhost:9990/console with existing user e.g. "jduke"
      • access http://localhost:9990/console with non existing user e.g. "test"
      • In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.
      Show
      configure security realm to use cache with eviction by size strategy <security-realm name= "authn-by-search-time-3-1" > <authentication> <ldap connection= "ldap-connection" base-dn= "ou=People,dc=jboss,dc=org" recursive= " true " > <cache eviction-time= "30" max-cache-size= "1" cache-failures= " false " /> <username-filter attribute= "uid" /> </ldap> </authentication> </security-realm> configure http interface to be secured by this realm <http- interface security-realm= "authn-by-search-time-3-1" > <http-upgrade enabled= " true " /> <socket-binding http= "management-http" /> </http- interface > access http://localhost:9990/console with existing user e.g. "jduke" access http://localhost:9990/console with non existing user e.g. "test" In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.

      In case when cache is used for legacy LDAP security realm and any access to secured resource occures, then entry is added into cache even if user has not been authenticated correctly.

      Note, in reproducer there is cache-failures=false
      "cache-failures - This is a boolean that enables/disables the caching of failed searches. This has the potential for preventing an LDAP server from being repeatedly access by the same failed search, but it also has the potential to fill up the cache with searches for users that do not exist. This setting is particularly important for the authentication cache. " [1]

      And even with cache-failures = false , non existing user "takes slot" in cache, thus this

      • effectively could make cache smaller, because valid entries could be evicted due to max-cache-size.
      • reduce benefit of LDAP cache and impacts performance in unpredictable manner.

      Same behavior can be seen in 7.0.0.GA.

            jondruse@redhat.com Jiri Ondrusek
            mchoma@redhat.com Martin Choma
            Martin Choma Martin Choma
            Martin Choma Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: