Bug #3165

Libclient caching does not respect accessPolicies

Added by Rob Nahf over 11 years ago. Updated almost 9 years ago.

Target version:
Start date:
Due date:
% Done:


Story Points:


Currently, libclient allows the get() method to specify the session/subject of the caller, but the underlying JCS cache does not associate the session/subject of the caller with the cache. Therefore, objects retrieved by one subject are available to any other subject using that MNode instance, even if otherwise a NotAuthorized would be returned if the object was not previously cached.


#1 Updated by Rob Nahf about 11 years ago

  • Target version changed from Sprint-2012.35-Block.5.2 to Sprint-2012.39-Block.5.4
  • Position changed from 1 to 493
  • Position set to 1

#2 Updated by Rob Nahf about 11 years ago

  • translation missing: en.field_remaining_hours set to 0.0
  • Due date set to 2012-10-27
  • Priority changed from High to Low
  • Target version changed from Sprint-2012.39-Block.5.4 to Sprint-2012.41-Block.6.1

this is not a burning issue, so find an easy solution or throw into the backlogs.

#3 Updated by Rob Nahf about 11 years ago

  • Due date changed from 2012-10-27 to 2012-11-10
  • Target version changed from Sprint-2012.41-Block.6.1 to Sprint-2012.44-Block.6.2

#4 Updated by Rob Nahf almost 11 years ago

  • Start date deleted (2012-08-31)
  • Due date deleted (2012-11-10)
  • Target version deleted (Sprint-2012.44-Block.6.2)

#5 Updated by Rob Nahf over 10 years ago

possible solutions are multiple caches (one per subject), local access policy checking, perform a describe request, or isAuthorized() prior to returning from the cache (if cached), clearing the cache for new subjects, associating the cached object with a subject.

the describe check is probably the most elegant, but does introduce http connection overhead compared to not doing any checks at all. The other options require introspection of the subject for each call, and could lead to unnecessary downloads.

Another approach is a multi-client caching configuration option that would only implement access policy checks when configured that way.

#6 Updated by Dave Vieglais about 9 years ago

  • Start date set to 2014-12-01
  • Due date set to 2014-12-01
  • Target version set to CCI-2.0.0

#7 Updated by Rob Nahf about 9 years ago

  • Due date deleted (2014-12-01)
  • Start date deleted (2014-12-01)
  • Target version deleted (CCI-2.0.0)

#8 Updated by Dave Vieglais almost 9 years ago

  • Project changed from Infrastructure to Java Client
  • Category deleted (d1_libclient_java)

#9 Updated by Rob Nahf almost 9 years ago

  • Category set to d1_libclient_java

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)