Caching AuthStates
Introduction and overview
The processing of one or several AuthStates can become a performance issue when fast authentication operations are required. This is specifically the case when costly cryptographic operations have to be performed or when relatively slow calls to a back-end service are necessary. In some cases, those operations or calls are completely based on a recurring set of inputs such that for given identical inputs the results will always be identical as well.
Under such circumstances, the caching AuthStates may be used to associate such a well-known set of inputs with a computed and cached result set. The following figure illustrates the typical usage pattern of caching AuthStates.
The incoming input is digested by using the configured hash algorithm in the ReadFromCacheState. The resulting hash value is used for the look-up in the cache. If the look-up is successful (a cached value is found), then this value – represented by a key – is used in the rest of the authentication as if it was just computed.
If the look-up failed (this is called a miss), the inputs are processed as usual. The result of this process is then written to the cache by using the WriteToCache AuthState. The regular processing then continues and while no performance improvement was gained in this case, the following authentication runs with the same inputs will be able to bypass the expensive operations.
The selection of the input values is crucial: A wrongly configured input set can introduce data leaks and new security vulnerabilities. Configure the same inputs as used in the authentication operation(s) that are to be avoided.Cache space Each configured caching AuthState operates on a specified cache space. AuthStates with identical cache spaces may read and write the values while AuthStates with differing cache spaces will never read or write the same values.
ReadFromCacheState - Description
The following table describes the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.cache.ReadFromCacheState |
| Logging | Cache |
| Auditing | none |
| Marker | none |
| Properties | cacheSpace (string, "default")The name of the abstract space from which the AuthState reads. |
| hashAlgorithm (string, -)The hashing algorithm for the calculation of the hash key. All algorithms supported by the JDK may be specified. If not configured, the non-cryptographic string hashing algorithm of the JDK will be used. This algorithm is very fast but prone to hash collision attacks. | |
<scope:var> (string, required)A value to be read from the cache and propagated into the specified scope. By using the configured hashing algorithm, a hash value will be computed from the value of the property. This hash value is used to perform the actual look-up in the cache space of the AuthState.Example: <property name="notes:var" value="${inargs:isiwebuserid}${inargs:isiwebpasswd}${inargs:domain}"> | |
| Methods | process |
| Input | none (except over variable substitution) |
| Transitions | ok: all look-ups were successful |
| miss: one or several of the configured look-ups failed to find a matching value in the cache | |
| Output | none (except propagated values) |
| Errors | none |
Example
<AuthState name="FetchFromCache" class="ch.nevis.esauth.auth.states.cache.ReadFromCacheState" final="false">
<ResultCond name="ok" next="NextStep"/>
<ResultCond name="miss" next="DoAuthentication"/>
<Response value="AUTH_ERROR"/>
<property name="cacheSpace" value="TechAuthCache"/>
<property name="hashAlgorithm" value="SHA-512"/>
<property name="sess:ch.adnovum.nevisidm.userDto" value="${request:clientCertAsString}"/>
</AuthState>
WriteToCacheState - Description
The following table describes the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.cache.WriteToCacheState |
| Logging | Cache |
| Auditing | none |
| Marker | none |
| Properties | cacheSpace (string, "default")The name of the abstract space to which the AuthState writes. |
| hashAlgorithm (string, -)The hashing algorithm for the calculation of the hash key. All algorithms supported by the JDK may be specified. If not configured, the non-cryptographic string hashing algorithm of the JDK will be used. This algorithm is very fast but prone to hash collision attacks. | |
| maxAge (duration in seconds, 600)Maximum duration in seconds for which the written entry will remain valid. | |
| maxEntries (number, 100)Maximum number of entries accepted in the cache space. If the maximum is reached, the AuthState will abort with result failed (overwriteOldEntries= false) or make space by throwing away the oldest entry of the cache space (overwriteOldEntries =true).Set this property conservatively to protect against overflows of cached data, especially when caching large keys or values. | |
| overwriteOldEntries (boolean, true)Configures the strategy to apply when the maximum allowed number of entries in the cache space has been reached. See the property maxEntries in this table for details. | |
<expression> (string, -)One or several expressions to write into the cache. The property's name will be evaluated and used as the key of the cache entry (applying the configured hashAlgorithm). The property's value will be evaluated and used as the entry's value. | |
| Methods | process |
| Input | none (except over variable substitution) |
| Transitions | ok: All write operations were successful. |
| overflow: The write operation succeeded, but the cache space is full and old entries are removed before their validity period has expired. | |
| failed: The write operation failed. | |
| Output | none |
| Errors | none |
Example
<AuthState name="PutInCache" class="ch.nevis.esauth.auth.states.cache.WriteToCacheState" final="false">
<ResultCond name="ok" next="AuthDone"/>
<ResultCond name="failed" next="AuthError"/>
<Response value="AUTH_ERROR"/>
<property name="cacheSpace" value="TechAuthCache"/>
<property name="hashAlgorithm" value="SHA-512"/>
<property name="${request:clientCertAsString}" value="${sess:ch.adnovum.nevisidm.userDto}"/>
</AuthState>