Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14800

Session property update is not batched and do per LDAP operation per property

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.5.1
    • Fix Version/s: None
    • Labels:
      None

      Description

      Bug description

      Since the change to CTS for stateful session, the API to set extra properties to the session using the API SSOToken.setProperty() make an CTS update per call. This is a expensive and slow call as is does a round-trip to the CTS (which manifest as an LDAP modify).

       Now there are many of these type of calls in AM, and in fact one cannot escape or workaround this issue since it is used in Post Authentication plugin and all the other AM authentication code that does a setProperty() (for an existing session that is already build)

      This also applies to the REST call updateSessionProperties which will issue one LDAP operation per property change

      How to reproduce the issue

      1. Install a PAP with a for loop that does token.setProperty(key,value) say 100 times. and you will see that there is 100 LDAP modify on the LDAP logs.
      2. or setup a session whitelist for a set properties and use the REST updateSessionProperties to update the session.
      • In in a realm, create Session Property Whitelist service
      • Create more session property names
      • Create a session
      • Get the session property
        curl -s \
         -k \
         --request POST \
         -H 'X-Requested-With: XMLHttpRequest' \
         --header "iplanetdirectorypro: $tokenID" \
         --header "Content-Type: application/json" \
         "$URL/openam/json/sessions/?_action=getSessionProperties&realm=${realm}"
        
      • Update
        curl -s \
         -k \
         --request POST \
         -H 'X-Requested-With: XMLHttpRequest' \
         -d "
         {\"EXT-KEY0\":\"EXT-VALUE-0-$$\",
         \"EXT-KEY2\":\"EXT-VALUE-2-$$\",
         \"EXT-KEY1\":\"EXT-VALUE-1-$$\",\"EXT-KEY3\":\"EXT-VALUE-3\"}" \
         --header "iplanetdirectorypro: $tokenID" \
         --header "Content-Type: application/json" \
         "$URL/openam/json/sessions/?_action=updateSessionProperties&realm=${realm}"
        
      Expected behaviour
      Reduced overhead. Or there is a bulk session property updater
      
      Current behaviour
      Each token.setProperty() causes a LDAP traffic as long one uses the SessionService to get the service and use the setProperty
      

      Work around

      None. Tune the CTS performance (as there is increased traffic). Otherwise put to use needed stuff in one session key and the value could be say some key=value pair (CSV, or JSON)

      Code analysis

      SessionService.getSession(...) return a CTSSession that will always goto CTS and update the LDAP Store. In fact any SessionMutator in AM does that unless it is done during Session creation time.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: