Results 1 to 3 of 3

Thread: User Cache - EHCache

  1. Jun 29th, 2012, 03:00 PM #1
    dbmargo
    dbmargo is offline Junior Member
    Join Date
    Jun 2012
    Posts
    3

    Default User Cache - EHCache

    I have a custom authentication provider (that extends AbstractUserDetailsAuthenticationProvider) and a custom UserDetailsService. I am using EH Cache to cache the UserDetails:

    Code:
    <bean id="authenticationProvider" class="com.issinc.sac.security.v331.CustomAuthenticationProvider">
    <constructor-arg ref="customUserDetailsService" />
    <property name="passwordEncoder" ref="standardPasswordEncoder" />      
    <property name="userCache" ref="ehUserCache" />        
</bean>

<bean id="ehUserCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
    <property name="cache" ref="userCacheBackend"/>
</bean>       
    
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <property name="cacheManager" ref="cacheManager"/>
    <property name="cacheName" value="userCache"/>
</bean>
    I am getting cache hits upon my second login as expected but the password coming back from the cached UserDetails is always null. It would seem that this would be by design (storing password in cache is not safe) but it doesn't seem to go with the code in AbstractUserDetailsAuthenticationProvider which pulls the user from the cache, attempts to run authentication checks and then when those authentication checks fail re-retrieves the user (essentially making the cache pointless):

    try {
    preAuthenticationChecks.check(user);
    additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
    } catch (AuthenticationException exception) {
    if (cacheWasUsed) {
    // There was a problem, so try again after checking
    // we're using latest data (i.e. not from the cache)
    cacheWasUsed = false;
    user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
    preAuthenticationChecks.check(user);
    additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
    } else {
    throw exception;
    }
    }

    I am sure I am missing something here but I didn't find a whole lot of documentation about this. Can someone give me a hint? Thank you very much.
    Reply With Quote Reply With Quote
  2. Jun 29th, 2012, 03:24 PM #2
    dbmargo
    dbmargo is offline Junior Member
    Join Date
    Jun 2012
    Posts
    3

    Default

    Sorry, I forgot to mention I am using Spring Security 3.1.0 and EH Cache 2.5.2.
    Reply With Quote Reply With Quote
  3. Jul 3rd, 2012, 01:18 PM #3
    dbmargo
    dbmargo is offline Junior Member
    Join Date
    Jun 2012
    Posts
    3

    Default

    Quote Originally Posted by dbmargo View Post
    Sorry, I forgot to mention I am using Spring Security 3.1.0 and EH Cache 2.5.2.
    https://jira.springsource.org/browse/SEC-1493

    This was happening because the I was using org.springframework.security.core.userdetails.User and the credentials were being erased before the cache was persisted. I created a custom UserDetails object and overrode the eraseCredentials method to work around this.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules