[
https://issues.apache.org/jira/browse/KNOX-2790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar resolved KNOX-2790.
---------------------------------
Resolution: Fixed
> Split ConcurrentSessionVerifier.verifySessionForUser
> ----------------------------------------------------
>
> Key: KNOX-2790
> URL: https://issues.apache.org/jira/browse/KNOX-2790
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Balazs Marton
> Priority: Critical
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:
> * verifies the user if he/she is allowed to have another session
> * registers the given token into the concurrentSessionCounter map
> These 2 functionalities should be split:
> * boolean verifySessionForUser(String userName);
> * void registerToken(String userName, JWT token);
> With this split, in WebSSOResource, the session verification can be done
> before the token is actually created and token registration can be done
> after. It's important because it might be a security leak to generate tokens
> in advance that will not be used at all but, in case of token management is
> enabled, may fill up the disk/memory with unused tokens.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
