[ https://issues.apache.org/jira/browse/KNOX-3005?focusedWorklogId=903308&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-903308 ]
ASF GitHub Bot logged work on KNOX-3005: ---------------------------------------- Author: ASF GitHub Bot Created on: 02/Feb/24 11:50 Start Date: 02/Feb/24 11:50 Worklog Time Spent: 10m Work Description: zeroflag commented on code in PR #839: URL: https://github.com/apache/knox/pull/839#discussion_r1475961542 ########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java: ########## @@ -197,7 +204,7 @@ private void sendRedirectToLoginURL(HttpServletRequest request, HttpServletRespo @Override protected void handleValidationError(HttpServletRequest request, HttpServletResponse response, int status, String error) throws IOException { - if (error != null && error.startsWith("Token") && error.endsWith("disabled")) { + if (error != null && error.startsWith("Token") && (error.endsWith("disabled") || error.endsWith("exceeded idle timeout"))) { Review Comment: Maybe we could set a special request attribute to indicate the idle timeout, or extracting the string to constant would make this check more robust. ########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java: ########## @@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest request, final HttpServ return false; } - private boolean isTokenEnabled(String tokenId) throws UnknownTokenException { - final TokenMetadata tokenMetadata = tokenStateService == null ? null : tokenStateService.getTokenMetadata(tokenId); + private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws UnknownTokenException { return tokenMetadata == null ? true : tokenMetadata.isEnabled(); } + private boolean isNotIdle(TokenMetadata tokenMetadata) throws UnknownTokenException { + if (idleTimeoutSeconds > 0) { + final Instant lastUsedAt = tokenMetadata == null ? null : tokenMetadata.getLastUsedAt(); + final Instant idleTimeoutLimit = lastUsedAt == null ? null : lastUsedAt.plusSeconds(idleTimeoutSeconds); + return idleTimeoutLimit == null ? true : (tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now())); + } + return true; // no idle timeout is configured -> ignore idleness check + } + + private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata) throws UnknownTokenException { + if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) { + // to avoid updating every single metadata value, we create a new token metadata + // instance only with the updated "LAST_USED_AT" information + final TokenMetadata updatedTokenMetadata = new TokenMetadata(); + updatedTokenMetadata.useTokenNow(); + tokenStateService.addMetadata(tokenId, updatedTokenMetadata); Review Comment: I was going to ask the same, do we overwrite one specific metadata entry or do we add new one at every usage? Issue Time Tracking ------------------- Worklog Id: (was: 903308) Time Spent: 1h 10m (was: 1h) > Implement Knox idle session time > -------------------------------- > > Key: KNOX-3005 > URL: https://issues.apache.org/jira/browse/KNOX-3005 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO > Affects Versions: 2.1.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Fix For: 2.1.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > With the recent work of KNOX-2961, the new SSO token invalidation > functionality, Knox could provide idle session timeout behavior for UIs. > It will likely not include the usual UI pop-up approach (like when the > end-user is informed about being idle too long), but it would effectively > terminate idle SSO sessions and force an explicit login. > It's also worth mentioning the idleness measurement solely depends on backend > activities through the KnoxSSO Cookie federation filter. and will not take > any client-side action (such as scrolling on the page, client-side > pagination, etc..) into account. -- This message was sent by Atlassian Jira (v8.20.10#820010)