Sandor Molnar created KNOX-2790:
-----------------------------------
Summary: Split ConcurrentSessionVerifier.verifySessionForUser
Key: KNOX-2790
URL: https://issues.apache.org/jira/browse/KNOX-2790
Project: Apache Knox
Issue Type: Sub-task
Components: Server
Affects Versions: 2.0.0
Reporter: Sandor Molnar
Assignee: Balazs Marton
Fix For: 2.0.0
Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:
* verifies the user if he/she is allowed to have another session
* registers the given token into the concurrentSessionCounter map
These 2 functionalities should be split:
* boolean verifySessionForUser(String userName);
* void registerToken(String userName, JWT token);
With this split, in WebSSOResource, the session verification can be done before
the token is actually created and token registration can be done after. It's
important because it might be a security leak to generate tokens in advance
that will not be used at all but, in case of token management is enabled, may
fill up the disk/memory with unused tokens.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
