Spring Security userCache invalidation
https://stackoverflow.com/questions/4607265
-
25-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Using Spring Security I have a DaoAuthenticationProvider described like here:
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/dao-provider.html
I also have caching (also like it's described in that article).
The problem is that when a request comes in with a good username (that is already in the cache), but a bad password - it returns the user from the cache as if it is a good username/password. Because it uses the username as the key, the password is not involved at all.
The exact code that returns the user from the cache:
UserDetails user = this.userCache.getUserFromCache(username);
Did anybody ever dealt with this problem before? I can also check if the password is the same, but it would be a custom thing.
Thank you.
Solution
If you configured your application with the standard components, the scenario should be as follows:
At user request arrival the
Authenticationobject is created and populated with username and password supplied by user.User details are retrieved: if it's possible,
UserCacheis used to retrieve previously cached user details (i.e.getUserFromCacheis called either by implementations ofUserDetailsServiceorAuthenticationProviderbefore the call toAuthenticationManageris performed). And it is 100% OK that the user details from cache will come with the good password.After basic pre-authentication checks (credentials expiration etc.) the actual authentication occurs. At this point the password from cached user details is compared to the password stored in
Authenticationobject supplied (which currently contains the wrong password). At this point authentication attempt fails.
However, if you implement your own AuthenticationProvider or AuthenticationManager, you are responsible for password checking.
OTHER TIPS
What's the code that originally gets the user from the DB and caches it? Does it check the password? Sounds like you have an abstraction issue - Spring Security should not know where the user is coming from (DB or Cache) and should use the same logic either way.
