Is it safe to cache security information?

Question

I've been doing some research on popular Java security frameworks (Spring Security and Apache Shiro) recently. I noticed that both frameworks support caching. Apache Shiro even described its module:

Caching is a first-tier citizen in Apache Shiro's API to ensure that security operations remain fast and efficient.

My questions are:

• Is it safe to cache security information in for instance Ehcache?
• Is it a popular approach?
• Should we think about efficiency when it comes to security?
• Why risk?

Answer 1

When a browser caches content that was transmitted over https it is stored in an encrypted state. The Key is stored in memory and the cache and key are deleted when the browser is closed. The main threat is spyware, and spyware could probably still access the key used for encryption by reading the browser's memory. But its better than nothing.

Things are a bit different on the server side. How is an attacker supposed to access the cache store? If the machine is compromised then there is no place to store a key. I would make sure that the cache cannot be access unless the web server is compromised. I don't think that encryption helps at all in this scenario.

Answer 2

If you cache all in memory I think it is secure. Problem is when ehcache will store data to disk and somebody has access to machine too.

On production no one have access to server. (Only administrators/deployers etc. But they have access directly to database, application server, logs and other (they can debug application :)). But all that person are trusted)

If you cache on server side - do that.