Hi, we are running into an issue with our Wiki security cache where we notice
a large dump of the cache every 4 hours. The reason this happens every 4
hours is because we have configured out infinispan expiry time to 4 hours;
however, we would expect a gradual expiration of the cache.
After investigating the DefaultSecurityCache logic, we discovered that the
dispose() method is being called whenever infinispan attempts to expire a
security cache entry. When disposing an entry, it will rightfully disconnect
the entry from its parent(s) and remove all children.
What happens is that the XWiki root page ("xwiki:XWiki") is one of the first
entries to be created. As such, it is one of the first entries to be
expired. When it is expired, it removes all children from the cache as well.
This results in all user pages ("xwiki:XWiki.user1", "xwiki:XWiki.user2",
...) as well as our permission groups (stored under
"xwiki:XWiki.POSIX.group1", "xwiki:XWiki.LDAP.group2", ...). This also
removes all children linking to documents ("xwiki:user1@@Document").
In order to fix this, we were planning on adding logic around the
DefaultSecurityCache.dispose() method to skip disposal of certain core pages
("xwiki:XWiki.POSIX", and "xwiki:XWiki.LDAP") as there is no real benefit of
removing them from the security cache, but need to further investigate
possible risks or side effects.
Some questions we had for the XWiki dev team were:
1. Where are XWiki groups stored? Are they not under the document
2. If they are stored under a shared parent, shouldn't they run into the
same issue as we are experiencing where clearing the "xwiki:XWiki" entry
also removes all user entries and groups?