Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2502

Legacy ldap realm, entry for non existing user are cached

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 3.0.0.Beta27
    • None
    • Security
    • None
    • Hide
      • configure security realm to use cache with eviction by size strategy
                    <security-realm name="authn-by-search-time-3-1">
                        <authentication>
                            <ldap connection="ldap-connection" base-dn="ou=People,dc=jboss,dc=org" recursive="true">
                                <cache eviction-time="30" max-cache-size="1" cache-failures="false"/>
                                <username-filter attribute="uid"/>
                            </ldap>
                        </authentication>
                    </security-realm>
        
      • configure http interface to be secured by this realm
                    <http-interface security-realm="authn-by-search-time-3-1">
                        <http-upgrade enabled="true"/>
                        <socket-binding http="management-http"/>
                    </http-interface>
        
      • access http://localhost:9990/console with existing user e.g. "jduke"
      • access http://localhost:9990/console with non existing user e.g. "test"
      • In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.
      Show
      configure security realm to use cache with eviction by size strategy <security-realm name= "authn-by-search-time-3-1" > <authentication> <ldap connection= "ldap-connection" base-dn= "ou=People,dc=jboss,dc=org" recursive= " true " > <cache eviction-time= "30" max-cache-size= "1" cache-failures= " false " /> <username-filter attribute= "uid" /> </ldap> </authentication> </security-realm> configure http interface to be secured by this realm <http- interface security-realm= "authn-by-search-time-3-1" > <http-upgrade enabled= " true " /> <socket-binding http= "management-http" /> </http- interface > access http://localhost:9990/console with existing user e.g. "jduke" access http://localhost:9990/console with non existing user e.g. "test" In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.

      In case when cache is used for legacy LDAP security realm and any access to secured resource occures, then entry is added into cache even if user has not been authenticated correctly. This can cause that valid entries are evicted due to max-cache-size. This reduce benefit of LDAP cache and impacts performance.

      Same behavior can be seen in 7.0.0.GA.

              jondruse@redhat.com Jiri Ondrusek
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: