Description
A little bit of a background (snippet of post-mortem really) first: in local deployment we use Apache with the mod_mellon module to provide SAML based SSO and therefore authentication layer. The IDP sends multiple attributes, namely the username and email. These are passed to Tomcat via HTTP headers and are directly used to construct the User object via the UserPlugin (with MellonHeaderDecoder) and subsequently LdapUser object via LdapUserPlugin that uses these attributes to perform LDAP lookup.
One sunny Friday 😄 the configuration of the IDP was changed so it started sending the username part with different attribute name. Thanks to the scheme explained above this made the UserPlugin to create the User objects with username to be null. As a result all authenticated users saw empty list of projects because LdapUserPlugin used User#username to perform LDAP lookup and the rest of the authorization stack relied on the LdapUser to be correctly formed.
After changing the LDAP filter in the configuration of LdapUserPlugin not to rely on the username part, the web app started working again. Except the home page loading times were in minutes. This was another consequence of the null username, concretely this part:
opengrok/plugins/src/main/java/opengrok/auth/plugin/AbstractLdapPlugin.java
Lines 239 to 243 in aeba307
sessionExists() checks whether username embedded into the session is not null. This makes the condition to be evaluated as false and each call to ensureSessionExists() will perform the LDAP query.
Ideally, the AbstractLdapPlugin should not rely on the username part of the User object to be non-null and use a composite of the id and username members of the User object (or even toString()) to embed into the session and perform checking (when calling isSameUser()).