pzampino commented on code in PR #839:
URL: https://github.com/apache/knox/pull/839#discussion_r1474771285
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest
request, final HttpServ
return false;
}
- private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
- final TokenMetadata tokenMetadata = tokenStateService == null ? null :
tokenStateService.getTokenMetadata(tokenId);
+ private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws
UnknownTokenException {
return tokenMetadata == null ? true : tokenMetadata.isEnabled();
}
+ private boolean isNotIdle(TokenMetadata tokenMetadata) throws
UnknownTokenException {
Review Comment:
I think isNotIdleLimitExceeded(tokenMetadata) (or something similar) might
be a more accurate method name. If we're getting a request, the client is not
currently idle. Actually, I would prefer to avoid the negative perspective,
using hasIdleLimitExpired(tokenMetadata) and then
!hasIdleLimitExpired(tokenMetadata) in it use. This is all a rather small point
though, and perhaps not worth worrying about.
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest
request, final HttpServ
return false;
}
- private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
- final TokenMetadata tokenMetadata = tokenStateService == null ? null :
tokenStateService.getTokenMetadata(tokenId);
+ private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws
UnknownTokenException {
return tokenMetadata == null ? true : tokenMetadata.isEnabled();
}
+ private boolean isNotIdle(TokenMetadata tokenMetadata) throws
UnknownTokenException {
+ if (idleTimeoutSeconds > 0) {
+ final Instant lastUsedAt = tokenMetadata == null ? null :
tokenMetadata.getLastUsedAt();
+ final Instant idleTimeoutLimit = lastUsedAt == null ? null :
lastUsedAt.plusSeconds(idleTimeoutSeconds);
+ return idleTimeoutLimit == null ? true :
(tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now()));
+ }
+ return true; // no idle timeout is configured -> ignore idleness check
+ }
+
+ private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata)
throws UnknownTokenException {
+ if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) {
+ // to avoid updating every single metadata value, we create a new token
metadata
+ // instance only with the updated "LAST_USED_AT" information
+ final TokenMetadata updatedTokenMetadata = new TokenMetadata();
+ updatedTokenMetadata.useTokenNow();
+ tokenStateService.addMetadata(tokenId, updatedTokenMetadata);
Review Comment:
Does this mean there are multiple metadata entries for the same token in the
state store?
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java:
##########
@@ -104,4 +104,11 @@ public interface JWTMessages {
@Message( level = MessageLevel.WARN, text = "Invalid SSO cookie found!
Cleaning up..." )
void invalidSsoCookie();
+
+ @Message( level = MessageLevel.WARN, text = "User with SSO token {0}
exceeded the configured idle timeout of {1} seconds." )
Review Comment:
Is it possible to include the principal name here for easier correlation to
the user?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
