[Yanel-dev] Caching of users

Oli Kessler ok at ncode.ch
Fri Nov 2 00:30:42 CET 2007 

On 02.11.2007, at 00:07, Michael Wechner wrote:

> Hi
>
> I have taken a closer look at
>
> src/impl/java/org/wyona/security/impl/yarep/YarepUserManager.java
>
> and agree that caching makes a lot of sense, but I think we need to  
> refactor the implementation, which means the exists method should  
> check within the cache, but also within the repo and if the user  
> does not exist within the cache, but only within the repo, then the  
> cache should be redone.

What about users that get deleted or locked or expired - this change  
will not be noticed by the UserManager and it will happily server  
user data from the cache. Maybe we can set a TTL on cached user/group  
data in a realm-wide fashion.

For the policy manager, caching is even more in need but the same  
constraints apply.


> Also one might to think about introducing an API to invalidate such  
> a implementation specific cache and also to introduce a  
> lastModified method,
> whereas I am not sure if one can check LDAP re lastModifieds
>

A notification channel for the User- and Policy-Manager interface may  
solve the issue: the resource changing any policy or user data may  
notify the implementing classes. However, external processes with  
direct access to the user data respository will not make use of such  
a notification channel. A regular check for changes and TTL driven  
reloads may still be needed.

As for LDAP, I'm not sure how we can check for a modification date  
for now, I'll try to figure this out. However, when a user get's  
deleted in the LDAP (or his autorization to use the application gets  
removed) we have the same issues when caching is applied: we do not  
see the change in the application or we notice the change too late.

We may do the following:
  - on each authentication request, (re)load the full user data from  
the repositories
  - thus assure that any authentication data and basic login  
constraint (locked? expired? ...)
    are the most current
  - cache the user data
  - on session expiration, the UserManager is noticed and invalidats  
the cache for this user

What do you think?

Cheers
-ok

More information about the Yanel-development mailing list