[
https://issues.apache.org/jira/browse/KNOX-2790?focusedWorklogId=803872&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-803872
]
ASF GitHub Bot logged work on KNOX-2790:
----------------------------------------
Author: ASF GitHub Bot
Created on: 26/Aug/22 07:52
Start Date: 26/Aug/22 07:52
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #624:
URL: https://github.com/apache/knox/pull/624
Issue Time Tracking
-------------------
Worklog Id: (was: 803872)
Time Spent: 50m (was: 40m)
> Split ConcurrentSessionVerifier.verifySessionForUser
> ----------------------------------------------------
>
> Key: KNOX-2790
> URL: https://issues.apache.org/jira/browse/KNOX-2790
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Balazs Marton
> Priority: Critical
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:
> * verifies the user if he/she is allowed to have another session
> * registers the given token into the concurrentSessionCounter map
> These 2 functionalities should be split:
> * boolean verifySessionForUser(String userName);
> * void registerToken(String userName, JWT token);
> With this split, in WebSSOResource, the session verification can be done
> before the token is actually created and token registration can be done
> after. It's important because it might be a security leak to generate tokens
> in advance that will not be used at all but, in case of token management is
> enabled, may fill up the disk/memory with unused tokens.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
