Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2502

Legacy ldap realm, entry for non existing user are cached

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 3.0.0.Beta27
    • None
    • Security
    • None
    • Hide
      • configure security realm to use cache with eviction by size strategy 
                    <security-realm name="authn-by-search-time-3-1">
                <authentication>
                    <ldap connection="ldap-connection" base-dn="ou=People,dc=jboss,dc=org" recursive="true">
                        <cache eviction-time="30" max-cache-size="1" cache-failures="false"/>
                        <username-filter attribute="uid"/>
                    </ldap>
                </authentication>
            </security-realm>
      • configure http interface to be secured by this realm 
                    <http-interface security-realm="authn-by-search-time-3-1">
                <http-upgrade enabled="true"/>
                <socket-binding http="management-http"/>
            </http-interface>
      • access http://localhost:9990/console with existing user e.g. "jduke"
      • access http://localhost:9990/console with non existing user e.g. "test"
      • In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.
      Show
      configure security realm to use cache with eviction by size strategy <security-realm name= "authn-by-search-time-3-1" > <authentication> <ldap connection= "ldap-connection" base-dn= "ou=People,dc=jboss,dc=org" recursive= " true " > <cache eviction-time= "30" max-cache-size= "1" cache-failures= " false " /> <username-filter attribute= "uid" /> </ldap> </authentication> </security-realm> configure http interface to be secured by this realm <http- interface security-realm= "authn-by-search-time-3-1" > <http-upgrade enabled= " true " /> <socket-binding http= "management-http" /> </http- interface > access http://localhost:9990/console with existing user e.g. "jduke" access http://localhost:9990/console with non existing user e.g. "test" In log there is message "Entry with key 'jduke' evicted from cache due to cache being above maximum size." When you access http://localhost:9990/console again with "jduke", then Wireshark shows that LDAP call occured.

    Description

      In case when cache is used for legacy LDAP security realm and any access to secured resource occures, then entry is added into cache even if user has not been authenticated correctly. This can cause that valid entries are evicted due to max-cache-size. This reduce benefit of LDAP cache and impacts performance.

      Same behavior can be seen in 7.0.0.GA.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9391 Legacy ldap realm, entry for non existing user are cached

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              jondruse@redhat.com Jiri Ondrusek
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: