9
votes

Newbie question so bear with me...

Currently I have a Grails 2.4.4 app that used spring-security-ldap 2.0.1 to authenticate + authorised users with an OpenLdap server.

The LDAP people are concerned that without caching this app when move to Production might impact the LDAP server's performance. They had recommend looking into using Redis as a app level caching for users, b4 hitting the LDAP server.

I would like to get some directions before I dive into the POC, make sure I start on the right path:

i) I briefly looked into the 'Grails 1 & 2 Plugins' from Grail org, there are a couple of plugins appeared when I searched for Redis... Which one(s) actually are relevant to what I am trying to achieve?

ii) Assume I had integrated Redis caching to my Grails, how/where do I tell spring-security-ldap to look into the Redis cache first, b4 hitting up the Ldap server?

Thanks in advance any info/guide..

1
Oh, forgot to mentioned, preferably we do not want a DB implementation for users persistence, just the LDAP and Redis for caching.alchn
I don't have enough info to give a full answer but I've used this plugin for Redis with a large amount of success grails.org/plugin/redis?skipRedirect=true, as for the custom login, I would think you'd extend grails.plugin.springsecurity.LoginController & override the auth method by checking your redis cache & if not populated call super authMike W

1 Answers

5
votes

Here are some advices, as you're not looking for ready-to-use solutions:

  • caching any type of authentication is big security failure as hackers will be able to take advantage of this to bypass some rules implemented into your LDAP solution, such as brute force protections (e.g. block account after N bad password)

  • in order to handle the load on LDAP server side, you could adjust the session token expiration (JSESSIONID or JWT, depending on how Spring security has been configured). For example, if token expiration is 1 hour, you will receive only 1 request per hour per user.

  • you could had refresh token mechanism to renew session token without querying LDAP. In this case you will have only 1 LDAP request per device per user, which might be acceptable. Here is how to do it using Grails JWT In this doc you will see that REDDIS can be used to store token, which is quite related to what your initial solution