I’ve been doing some research on popular Java security frameworks (Spring Security and Apache Shiro) recently. I noticed that both frameworks support caching.
Apache Shiro even described its module:
Caching is a first-tier citizen in Apache Shiro’s API to ensure that
security operations remain fast and efficient.
My questions are:
- Is it safe to cache security information in for instance Ehcache?
- Is it a popular approach?
- Should we think about efficiency when it comes to security?
- Why risk?
When a browser caches content that was transmitted over https it is stored in an encrypted state. The Key is stored in memory and the cache and key are deleted when the browser is closed. The main threat is spyware, and spyware could probably still access the key used for encryption by reading the browser’s memory. But its better than nothing.
Things are a bit different on the server side. How is an attacker supposed to access the cache store? If the machine is compromised then there is no place to store a key. I would make sure that the cache cannot be access unless the web server is compromised. I don’t think that encryption helps at all in this scenario.