A simple EhCache3 based EventLogger

If you are using EhCache3 and need to know when a cache entry is created, updated etc. you can implement a simple EventLogger like this:

public class EventLogger implements CacheEventListener<Object> {
    
    private static final Logger LOG = LoggerFactory.getLogger(EventLogger.class);

    @Override
    public void onEvent(CacheEvent event) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("CacheEvent {} with key {}", event.getType(), event.getKey());
        }
    }
}

Now you include the EventLogger in the ehcache.xml:

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.ehcache.org/v3"
    xsi:schemaLocation="http://www.ehcache.org/v3 http://www.ehcache.org/schema/ehcache-core-3.0.xsd">

    <cache-template name="default">
        <listeners>
            <listener>
                <class>de.engelh.EventLogger</class>
                <event-firing-mode>ASYNCHRONOUS</event-firing-mode>
                <event-ordering-mode>UNORDERED</event-ordering-mode>
                <events-to-fire-on>CREATED</events-to-fire-on>
                <events-to-fire-on>UPDATED</events-to-fire-on>
                <events-to-fire-on>EXPIRED</events-to-fire-on>
                <events-to-fire-on>REMOVED</events-to-fire-on>
                <events-to-fire-on>EVICTED</events-to-fire-on>
            </listener>
        </listeners>
    </cache-template>
    
    <cache alias="someCache" uses-template="default">
	...
    </cache>

</config>
Round red and white Trust signage

Security Flaw: Don’t use @Cacheable on Methods handling Access-Control

Introduction

I recently stumbled over the following code in our codebase:

// Security flaw!
@Cacheable("permissionsOnContracts")
public boolean isAllowedToRead(ContractId contractId) {
    return expensiveOperationOrRemoteCall(contractId); 
}

The intent of the Cacheable-Annotation was obviously to reduce calls of #expensiveOperationOrRemoteCall, which makes sense in a way, especially when #isAllowedToRead is called often. Note that the #expensiveOperationOrRemoteCall determines the calling user internally by itself (eg. by using the SecurityContext, an OAuth2-Token, …).

It also introduces a severe security problem.

Read more