OpenSSOFilter enhancement

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 6.0.11 EE
Fix Version/s: --Sprint 12/11, 6.1.0 CE RC1, 6.0.X EE
Component/s: Authentication, Operations, Operations > Performance
Labels:
- OpenSSOFilter
- QA-R
- SSO
Environment:
Liferay Version: 6.0 SP 1
Operating System: Linux
Application Server: Tomcat 6.x
Java Virtual Machine: Java 6
Database: Oracle 11g

Branch Version/s:

6.0.x
Backported to Branch:

Committed
Enterprise Requirement:

Enterprise Requirement

Similar Issues:

Show 5 results

Description

Problem

For efficiency, the OpenSSOFilter should not invoke "isTokenValid" on the OpenAM server if the current request has no SSO cookies.

Resolution

At the following test to OpenSSOUtil to short-circuit the "isTokenValid" test when there are no SSO cookies. During testing, it was found that this test worked best by checking if all SSO cookies are null rather than any one SSO cookie.

private boolean _isAuthenticated(
HttpServletRequest request, String serviceUrl)
throws IOException {

boolean authenticated = false;

// Short-circuit the test if all of the SSO cookies are missing
String[] cookieNames = _getCookieNames(serviceUrl);

int cookieCount = 0;
for (String cookieName : cookieNames) {
if (CookieUtil.get(request, cookieName) != null)

{ cookieCount++; }

}

if (cookieCount == 0)

{ _log.warn("Request has no SSO cookies. User is not logged in."); return false; }

String url = serviceUrl + _VALIDATE_TOKEN;

URL urlObj = new URL(url);

HttpURLConnection urlc = (HttpURLConnection)urlObj.openConnection();

...

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Flavius Daca added a comment - 23/Jun/11 10:40 PM

Here are further details to our enhancement:

1. We have tested this patch in the our environment and demonstrated that it significantly reduced the traffic on our OpenAM servers.

2. The scenario in more detail:

2a. Each day the 4-node cluster of Liferay receives 240,000 requests to the base URL. Some of this is caused by each load balancer performing a monitoring GET request every 5 seconds to each server. Some of this is caused by users entering the base address in their browser.

2b. These requests typically contain no SSO cookies. When the OpenSSOFilter is invoked for this request and consequently the OpenSSOUtil is invoked, it doesn't check if the request contains any SSO cookies and naively invokes the OpenAM Web Service and sends empty cookie value! This result is 240,000/day additional SOAP calls to the OpenAM server that aren't necessary. In short, the OpenSSOUtil shouldn't send the SOAP call if it doesn't have any cookies. This is simple code optimisation that had a big impact on our performance testing.

2c. At the end of this request, the request is directed to the OpenAM SSO server to log in. In the case of the load balancer, we treat the 302 response as a sign that the server is running. For the user, their browser follows the redirect and shows the login form.

Show

Flavius Daca added a comment - 23/Jun/11 10:40 PM Here are further details to our enhancement: 1. We have tested this patch in the our environment and demonstrated that it significantly reduced the traffic on our OpenAM servers. 2. The scenario in more detail: 2a. Each day the 4-node cluster of Liferay receives 240,000 requests to the base URL. Some of this is caused by each load balancer performing a monitoring GET request every 5 seconds to each server. Some of this is caused by users entering the base address in their browser. 2b. These requests typically contain no SSO cookies. When the OpenSSOFilter is invoked for this request and consequently the OpenSSOUtil is invoked, it doesn't check if the request contains any SSO cookies and naively invokes the OpenAM Web Service and sends empty cookie value! This result is 240,000/day additional SOAP calls to the OpenAM server that aren't necessary. In short, the OpenSSOUtil shouldn't send the SOAP call if it doesn't have any cookies. This is simple code optimisation that had a big impact on our performance testing. 2c. At the end of this request, the request is directed to the OpenAM SSO server to log in. In the case of the load balancer, we treat the 302 response as a sign that the server is running. For the user, their browser follows the redirect and shows the login form.

Hide

Permalink

Vicki Tsang added a comment - 06/Nov/11 11:15 PM

This is being bulk closed in preparation for the new workflow.

Show

Vicki Tsang added a comment - 06/Nov/11 11:15 PM This is being bulk closed in preparation for the new workflow.

People

Assignee:

Michael Han

Reporter:

Flavius Daca

Participants of an Issue:

Flavius Daca, Michael Han, Vicki Tsang

Vote (1)

Watch (0)

Dates

Created:

21/Jun/11 6:11 PM

Updated:

08/Feb/13 4:44 PM

Resolved:

09/Sep/11 12:49 AM

Days since last comment:

1 year, 27 weeks, 6 days ago

Agile

View on Board

~~LPS-4494~~	ERROR [OpenSSOFilter] java.lang.ArrayIndexOutOfBoundsException
~~LPS-12626~~	CLONE -ERROR [OpenSSOFilter] java.lang.ArrayIndexOutOfBoundsException
~~LPS-18314~~	Staging UI enhancements and bugs
~~LPS-4010~~	enhance fckeditor to support img map
~~LPS-1647~~	Enhance french translation