[Yanel-dev] Caching of users

Michael Wechner michael.wechner at wyona.com
Fri Nov 2 11:13:30 CET 2007


Oli Kessler wrote:

>
> On 02.11.2007, at 00:07, Michael Wechner wrote:
>
>> Hi
>>
>> I have taken a closer look at
>>
>> src/impl/java/org/wyona/security/impl/yarep/YarepUserManager.java
>>
>> and agree that caching makes a lot of sense, but I think we need to  
>> refactor the implementation, which means the exists method should  
>> check within the cache, but also within the repo and if the user  
>> does not exist within the cache, but only within the repo, then the  
>> cache should be redone.
>
>
> What about users that get deleted or locked or expired - this change  
> will not be noticed by the UserManager and it will happily server  
> user data from the cache. Maybe we can set a TTL on cached user/group  
> data in a realm-wide fashion.
>
> For the policy manager, caching is even more in need but the same  
> constraints apply.


maybe it's best to enhance the security API by something like

UserManager.getUser(String username, boolean refresh)

which then can be used by the application during login

and also that the web-app introduces something like

killUserSession(String username)

such a user can be kicked out and during next authentication the user 
will be refreshed

>
>
>> Also one might to think about introducing an API to invalidate such  
>> a implementation specific cache and also to introduce a  lastModified 
>> method,
>> whereas I am not sure if one can check LDAP re lastModifieds
>>
>
> A notification channel for the User- and Policy-Manager interface may  
> solve the issue: the resource changing any policy or user data may  
> notify the implementing classes. However, external processes with  
> direct access to the user data respository will not make use of such  
> a notification channel. A regular check for changes and TTL driven  
> reloads may still be needed.
>
> As for LDAP, I'm not sure how we can check for a modification date  
> for now, I'll try to figure this out.


that would be great

> However, when a user get's  deleted in the LDAP (or his autorization 
> to use the application gets  removed) we have the same issues when 
> caching is applied: we do not  see the change in the application or we 
> notice the change too late.
>
> We may do the following:
>  - on each authentication request, (re)load the full user data from  
> the repositories
>  - thus assure that any authentication data and basic login  
> constraint (locked? expired? ...)
>    are the most current
>  - cache the user data
>  - on session expiration, the UserManager is noticed and invalidats  
> the cache for this user
>
> What do you think?


please see above the suggested API and implementation changes

Cheers

Michi

>
> Cheers
> -ok
>
>
> _______________________________________________
> Yanel-development mailing list
> Yanel-development at wyona.com
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development



-- 
Michael Wechner
Wyona      -   Open Source Content Management - Yanel, Yulup
http://www.wyona.com
michael.wechner at wyona.com, michi at apache.org
+41 44 272 91 61



More information about the Yanel-development mailing list