1. Field of the Invention
The present invention relates generally to a computer implemented method, data processing system, and computer program product for caching data. More specifically, the present invention relates to using a credential expiration time to sort an authentication credential among a group of authentication credentials for placement into a cache or non-volatile storage.
2. Description of the Related Art
Authentication is used to verify a user when communications pass through media that is uncontrolled by a user or a server. Authentication is a critical feature of organizations that must coordinate the operations of distant people, but require communication through potentially hostile territory and/or media. In recent times, authentication is used principally in banking, commerce, and personal matters, particularly over the Internet and other networks that do not natively support secure communications.
With the creation of websites that offer services to many people, it has become popular to delegate or otherwise subcontract the authentication function to central servers that can support many networked services, commonly called authentication servers. Accordingly, modem authentication servers may be required to authenticate or re-authenticate users in a scalable manner. One form of an authentication server is a server based on the Kerberos authentication protocol. An authentication server in the Kerberos authentication scheme is called a Kerberos server. The Kerberos authentication protocol is further described in Internet Engineering Task Force Request For Comments (RFC) 1510 and predecessor documents, which are hereby incorporated by reference. A user who wants to begin an authenticated session must first obtain an authentication credential from the authentication server. Accordingly, the user, through the operation of a client, issues a request for authentication with an authentication server. The Kerberos server issues an authentication credential to a user when the user, or the client used by the server, is verified as authentic.
An authentication credential is a record associated with a user name that includes a credential expiration time. The credential expiration time may be a time expressed as universal coordinated time. The credential expiration time may be a time offset from a universally accepted starting time, including, for example, an epoch, a religious event, a celestial event, or any other time treated as a start time by convention.
When the authentication credential is older than the time indicated by the credential expiration time, the authentication credential is expired. A user may renew the authentication credential by making a follow-up request to the authentication query. The expiration of an authentication credential may be set based on policies of the authentication server. Thus, one user may receive authentication credentials having credential expiration time set to expire a duration after the initial request. However, a second user may receive authentication credentials set to expire a shorter duration after the initial request as compared to the first user.
To boost performance, conventional authentication servers may cache authentication records. In such an authentication server, the processor does not cache authentication data depending upon the activeness or expiration of credentials. The data processing system simply caches the most recently accessed data, irrespective of expiration of a credential expiration time. The authentication systems such as Kerberos authentication servers allows each user to be assigned different credential expiration durations, in effect, allowing for customizing credential expiration depending on the user.
The authentication servers described above attempt to reduce cache misses by applying a least recently used principle to the cache. Accordingly, fewer cache misses occur in such authentication servers, as compared to authentication servers that do not use the LRU principle. Nevertheless, as the workload is increased in an authentication server, the number of authentication records that correspond to unexpired authentication credentials may be so large that the authentication records may not fit within the allocated cache.
When a cache miss occurs, the authentication server relies on non-volatile storage of the authentication server. A cache miss is a performance reduction that occurs when data predicted to be in cache, is actually stored in a block device. The block device typically retrieves data at rates that are orders of magnitude slower than accessing data in cache. Accordingly, such cache misses are to be avoided. The prior art authentication stored authentication credentials to non-volatile storage on the basis of the duration of the authentication credential, as expressed as the time between the beginning of a validity period and the credential expiration time. In practice, this configuration may be sub-optimal.
“Storing” is a generic term that describes placing data into a device that may maintain the data persistently, even absent power, as well as placing data into a device that is volatile, and thus requires power to store charge and other physical indicia of the data. “Caching” refers more specifically to the execution of moving and/or copying data to volatile storage, or storage that does not maintain the data absent periodic application of power. Volatile storage may include, for example, dynamic RAM, static RAM, among other forms of volatile storage. Static RAM is considered volatile storage in spite of studies that show that data may remain persistently stored as long as 13,100 milliseconds after the removal of power from the device. The residual period that data is reliably stored to volatile storage, for example, memory is called remanence.