Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
None
-
None
-
6
-
Severity 3 - Minor
-
1
-
Description
There is a bug in the Crowd Spring Integration library that causes applications using it to make a remote request to the Crowd server to validate the token for each request, even when the library is configured to cache the validation results.
Steps to reproduce
- Set up a web app that uses Spring Security and the Crowd Spring Integration libraries with SSO enabled (instructions: https://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Spring+Security ). Make sure the property 'session.validationinterval' is set to a positive integer (e.g., 30 minutes), and 'session.lastvalidation' is also set, both in the crowd.properties in the new application.
- Authenticate successfully to create a SSO token.
- Reload the page in the application.
Expected results
After the first successful validation of the token, the result is cached for a certain period, and no more requests are made to the remote Crowd server in that period for that token.
Observed results
All requests made to the application cause a remote request to the remote Crowd server to validate the token.
Workaround
The bug is specific to the Spring Integration, and does not affect other applications that integrate with Crowd SSO using the SOAP or the REST API directly (they go through HttpAuthenticatorImpl and CrowdHttpAuthenticatorImpl respectively, which correctly cache the token validation results). Until a fix is available, applications that require caching may discard the Spring Integration libraries provided with Crowd and develop their own integration using the REST API (CrowdHttpAuthenticatorImpl). The SOAP API is not recommended anymore.