Details

    • Branch Version/s:
      6.0.x
    • Backported to Branch:
      Committed
    • Similar Issues:
      Show 5 results 

      Description

      Problem

      For efficiency, the OpenSSOFilter should not invoke "isTokenValid" on the OpenAM server if the current request has no SSO cookies.

      Resolution

      At the following test to OpenSSOUtil to short-circuit the "isTokenValid" test when there are no SSO cookies. During testing, it was found that this test worked best by checking if all SSO cookies are null rather than any one SSO cookie.

      private boolean _isAuthenticated(
      HttpServletRequest request, String serviceUrl)
      throws IOException {

      boolean authenticated = false;

      // Short-circuit the test if all of the SSO cookies are missing
      String[] cookieNames = _getCookieNames(serviceUrl);

      int cookieCount = 0;
      for (String cookieName : cookieNames) {
      if (CookieUtil.get(request, cookieName) != null)

      { cookieCount++; }

      }

      if (cookieCount == 0)

      { _log.warn("Request has no SSO cookies. User is not logged in."); return false; }

      String url = serviceUrl + _VALIDATE_TOKEN;

      URL urlObj = new URL(url);

      HttpURLConnection urlc = (HttpURLConnection)urlObj.openConnection();

      ...

        Activity

        Hide
        Flavius Daca added a comment -

        Here are further details to our enhancement:

        1. We have tested this patch in the our environment and demonstrated that it significantly reduced the traffic on our OpenAM servers.

        2. The scenario in more detail:

        2a. Each day the 4-node cluster of Liferay receives 240,000 requests to the base URL. Some of this is caused by each load balancer performing a monitoring GET request every 5 seconds to each server. Some of this is caused by users entering the base address in their browser.

        2b. These requests typically contain no SSO cookies. When the OpenSSOFilter is invoked for this request and consequently the OpenSSOUtil is invoked, it doesn't check if the request contains any SSO cookies and naively invokes the OpenAM Web Service and sends empty cookie value! This result is 240,000/day additional SOAP calls to the OpenAM server that aren't necessary. In short, the OpenSSOUtil shouldn't send the SOAP call if it doesn't have any cookies. This is simple code optimisation that had a big impact on our performance testing.

        2c. At the end of this request, the request is directed to the OpenAM SSO server to log in. In the case of the load balancer, we treat the 302 response as a sign that the server is running. For the user, their browser follows the redirect and shows the login form.

        Show
        Flavius Daca added a comment - Here are further details to our enhancement: 1. We have tested this patch in the our environment and demonstrated that it significantly reduced the traffic on our OpenAM servers. 2. The scenario in more detail: 2a. Each day the 4-node cluster of Liferay receives 240,000 requests to the base URL. Some of this is caused by each load balancer performing a monitoring GET request every 5 seconds to each server. Some of this is caused by users entering the base address in their browser. 2b. These requests typically contain no SSO cookies. When the OpenSSOFilter is invoked for this request and consequently the OpenSSOUtil is invoked, it doesn't check if the request contains any SSO cookies and naively invokes the OpenAM Web Service and sends empty cookie value! This result is 240,000/day additional SOAP calls to the OpenAM server that aren't necessary. In short, the OpenSSOUtil shouldn't send the SOAP call if it doesn't have any cookies. This is simple code optimisation that had a big impact on our performance testing. 2c. At the end of this request, the request is directed to the OpenAM SSO server to log in. In the case of the load balancer, we treat the 302 response as a sign that the server is running. For the user, their browser follows the redirect and shows the login form.
        Hide
        Vicki Tsang added a comment -

        This is being bulk closed in preparation for the new workflow.

        Show
        Vicki Tsang added a comment - This is being bulk closed in preparation for the new workflow.

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 17 weeks ago

              Development

                Structure Helper Panel