[jboss-jira] [JBoss JIRA] (SECURITY-891) rolesSearch is doing a needless LDAP call for each individual role

Tom Fonteyne (JIRA) issues at jboss.org
Thu May 21 09:26:20 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13070010#comment-13070010 ] 

Tom Fonteyne commented on SECURITY-891:
---------------------------------------

proposed code change:

               // Query the context for the roleDN values
               String[] attrNames = {roleAttributeID};
               Attributes result = null;
               if (sr.isRelative()) {
                  result = sr.getAttributes();
                  if (result.size() == 0) {
                      result = ldapCtx.getAttributes(quoteDN(dn), attrNames);
                  }
               }

the check for == 0 and subsequent ldapCtx is infact not even needed as due to previous logic the attribute named by "roleAttributeID" will always be present in "sr"... but to safeguard against any future code changes, the ==0/ldapCtx is a careful safeguard.

> rolesSearch is doing a needless LDAP call for each individual role
> ------------------------------------------------------------------
>
>                 Key: SECURITY-891
>                 URL: https://issues.jboss.org/browse/SECURITY-891
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: JBossSX, Security-SPI
>    Affects Versions: PicketBox_4_9_2.Final
>            Reporter: Tom Fonteyne
>            Assignee: Tom Fonteyne
>
> https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
> line 690:
>                // Query the context for the roleDN values
>                String[] attrNames = {roleAttributeID};
>                Attributes result = null;
>                if (sr.isRelative()) {
>                   result = ldapCtx.getAttributes(quoteDN(dn), attrNames);
> The getAttributes method forces another roundtrip to the LDAP server, while the required attribute is in fact already present on the "sr" SearchResult object.
> If a user is a member of (lets say) 100 groups, then we can get an extra 100 calls to the LDAP server.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list