search

OpenIdentityPlatform / OpenAM

OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
https://www.openidentityplatform.org/openam
Other
768 stars 149 forks source link

Append the IdType (membershipType/memberType) to the cache key #663

Closed sp193 closed 11 months ago

sp193 commented 11 months ago

This should fix #662.

Append the IdType (membershipType/memberType) to the cache key, to avoid mixing up the result sets. Previously, IdCachedServicesImpl's getMembers() and getMembership() did not consider the IdType, thus the results could get mixed up, leading to unexpected behaviour if the results would differ. Consequences may include a temporary inability of AM to correctly evaluate policies, resulting in correct enforcement of policies by the gateway. The result of the policy evaluation may also be cached, making the issue last longer than the lifespan of the entry within the cache.

The IdType is now suffixed to the key. For example, these would have been equivalent, without the change:

IdCachedServicesImpl.getMemberships(): Cache hit for key = id=admin,ou=user,o=iot_platform,o=wisx,ou=services,dc=openam,dc=forgerock,dc=org_role.
IdCachedServicesImpl.getMemberships(): Cache hit for key = id=admin,ou=user,o=iot_platform,o=wisx,ou=services,dc=openam,dc=forgerock,dc=org_group.
maximthomas commented 11 months ago

@sp193 thanks for the contribution!