[Yanel-dev] Caching of users
Oli Kessler
ok at ncode.ch
Fri Nov 2 00:30:42 CET 2007
On 02.11.2007, at 00:07, Michael Wechner wrote:
> Hi
>
> I have taken a closer look at
>
> src/impl/java/org/wyona/security/impl/yarep/YarepUserManager.java
>
> and agree that caching makes a lot of sense, but I think we need to
> refactor the implementation, which means the exists method should
> check within the cache, but also within the repo and if the user
> does not exist within the cache, but only within the repo, then the
> cache should be redone.
What about users that get deleted or locked or expired - this change
will not be noticed by the UserManager and it will happily server
user data from the cache. Maybe we can set a TTL on cached user/group
data in a realm-wide fashion.
For the policy manager, caching is even more in need but the same
constraints apply.
> Also one might to think about introducing an API to invalidate such
> a implementation specific cache and also to introduce a
> lastModified method,
> whereas I am not sure if one can check LDAP re lastModifieds
>
A notification channel for the User- and Policy-Manager interface may
solve the issue: the resource changing any policy or user data may
notify the implementing classes. However, external processes with
direct access to the user data respository will not make use of such
a notification channel. A regular check for changes and TTL driven
reloads may still be needed.
As for LDAP, I'm not sure how we can check for a modification date
for now, I'll try to figure this out. However, when a user get's
deleted in the LDAP (or his autorization to use the application gets
removed) we have the same issues when caching is applied: we do not
see the change in the application or we notice the change too late.
We may do the following:
- on each authentication request, (re)load the full user data from
the repositories
- thus assure that any authentication data and basic login
constraint (locked? expired? ...)
are the most current
- cache the user data
- on session expiration, the UserManager is noticed and invalidats
the cache for this user
What do you think?
Cheers
-ok
More information about the Yanel-development
mailing list