Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5623

CTS uses inefficient search for coreTokenId=

    Details

    • Sprint:
      Sprint 78 - Sustaining
    • Support Ticket IDs:

      Description

      The CTS codebase regularly looks up tokens by ID from the directory server

      Usually, since the coreTokenID is the RDN of the entry and the base below this is known, this is done as a very efficient search similar to the following:

      [05/Jan/2015:20:39:21 +0000] SEARCH REQ conn=10 op=187 msgID=188 base="coreTokenId=-6105011964828865040,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" scope=baseObject filter="(objectClass=*)" attrs="ALL"
      

      It seems there may be a few places where tokens are looked up differently, using a search similar to the following:

      [05/Mar/2015:11:00:49 +0000] SEARCH REQ conn=9 op=340246 msgID=340247 base="ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" scope=wholeSubtree filter="(&(objectClass=frCoreToken)(&(coreTokenId=2560815068138090132)))" attrs="coreTokenId"
      

      coreTokenId is not indexed as part of cts-indices.ldif, or mentioned in the documentation for setting up CTS:

      [root@openam sfha]# grep -i coreTokenId cts-indices.ldif  -c
      0
      

      So in a system with lots of tokens this search could be a significant performance hit.

      The optimal solution is probably not to index this attribute, but to change these searches to use the baseObject search instead.

      This might be a new problem in 12.0.0 as I cannot find any examples of this search in 11.

      hasSession in CTSOperations.java looks like one possible candidate:

       /**
           * Checks whether the CTS store contains the session.
           * @param session The requested session.
           * @return Whether the session is in the CTS store.
           */
          public boolean hasSession(Session session) throws SessionException {
              String tokenId = idFactory.toSessionTokenId(session.getID());
              boolean found = false;
              try {
                  Collection<PartialToken> tokens = cts.attributeQuery(new TokenFilterBuilder()
                          .returnAttribute(CoreTokenField.TOKEN_ID)
                          .withAttribute(CoreTokenField.TOKEN_ID, tokenId)
                          .build());
                  found = !tokens.isEmpty();
              } catch (CoreTokenException e) {
                  if (debug.messageEnabled()) {
                      debug.message("Could not find token: " + tokenId, e);
                  }
              }
              return found;
          }
      

        Attachments

          Activity

            People

            • Assignee:
              peter.major Peter Major [X] (Inactive)
              Reporter:
              ian.packer Ian Packer [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 3h
                3h