Re: [PR] KNOX-2961 - Knox SSO cookie Invalidation - Phase I [knox]

Mon, 02 Oct 2023 05:52:42 -0700 


smolnar82 commented on code in PR #797:
URL: https://github.com/apache/knox/pull/797#discussion_r1342647777


##########
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateService.java:
##########
@@ -224,6 +224,20 @@ protected void evictExpiredTokens() {
     } catch (SQLException e) {
       log.errorRemovingTokensFromDatabase(e.getMessage(), e);
     }
+
+    //removing disabled KnoxSSO cookies since they are no longer needed
+    try {
+      final Set<String> disabledKnoxSsoCookies = 
tokenDatabase.getDisabledKnoxSsoCookies();
+      if (!disabledKnoxSsoCookies.isEmpty()) {
+        
log.removingDisabledKnoxSsoCookiesFromDatabase(disabledKnoxSsoCookies.size(),
+            String.join(", ", disabledKnoxSsoCookies.stream().map(tokenId -> 
Tokens.getTokenIDDisplayText(tokenId)).collect(Collectors.toSet())));
+        for (String tokenId : disabledKnoxSsoCookies) {

Review Comment:
   Good argument. I also had the same idea but I wanted to have the PR out ASAP 
so that you guys can review it. Let me submit a new PS with the updated 
`DELETE` statement.



##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java:
##########
@@ -188,8 +194,25 @@ private void sendRedirectToLoginURL(HttpServletRequest 
request, HttpServletRespo
   }
 
   @Override
-  protected void handleValidationError(HttpServletRequest request, 
HttpServletResponse response,
-                                       int status, String error) throws 
IOException {
+  protected void handleValidationError(HttpServletRequest request, 
HttpServletResponse response, int status, String error) throws IOException {
+    if (error != null && error.startsWith("Token") && 
error.endsWith("disabled")) {
+      LOGGER.invalidSsoCookie();
+      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      removeAuthenticationToken(request, response);
+      
SessionInvalidators.KNOX_SSO_INVALIDATOR.getSessionInvalidators().forEach(sessionInvalidator
 -> {
+        sessionInvalidator.onAuthenticationError(request, response);
+      });
+      final boolean doGlobalLogout = request.getAttribute("doGlobalLogout") == 
null ? false

Review Comment:
   Ack.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to