[
https://issues.apache.org/jira/browse/KNOX-3005?focusedWorklogId=903308&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-903308
]
ASF GitHub Bot logged work on KNOX-3005:
----------------------------------------
Author: ASF GitHub Bot
Created on: 02/Feb/24 11:50
Start Date: 02/Feb/24 11:50
Worklog Time Spent: 10m
Work Description: zeroflag commented on code in PR #839:
URL: https://github.com/apache/knox/pull/839#discussion_r1475961542
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java:
##########
@@ -197,7 +204,7 @@ private void sendRedirectToLoginURL(HttpServletRequest
request, HttpServletRespo
@Override
protected void handleValidationError(HttpServletRequest request,
HttpServletResponse response, int status, String error) throws IOException {
- if (error != null && error.startsWith("Token") &&
error.endsWith("disabled")) {
+ if (error != null && error.startsWith("Token") &&
(error.endsWith("disabled") || error.endsWith("exceeded idle timeout"))) {
Review Comment:
Maybe we could set a special request attribute to indicate the idle timeout,
or extracting the string to constant would make this check more robust.
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest
request, final HttpServ
return false;
}
- private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
- final TokenMetadata tokenMetadata = tokenStateService == null ? null :
tokenStateService.getTokenMetadata(tokenId);
+ private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws
UnknownTokenException {
return tokenMetadata == null ? true : tokenMetadata.isEnabled();
}
+ private boolean isNotIdle(TokenMetadata tokenMetadata) throws
UnknownTokenException {
+ if (idleTimeoutSeconds > 0) {
+ final Instant lastUsedAt = tokenMetadata == null ? null :
tokenMetadata.getLastUsedAt();
+ final Instant idleTimeoutLimit = lastUsedAt == null ? null :
lastUsedAt.plusSeconds(idleTimeoutSeconds);
+ return idleTimeoutLimit == null ? true :
(tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now()));
+ }
+ return true; // no idle timeout is configured -> ignore idleness check
+ }
+
+ private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata)
throws UnknownTokenException {
+ if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) {
+ // to avoid updating every single metadata value, we create a new token
metadata
+ // instance only with the updated "LAST_USED_AT" information
+ final TokenMetadata updatedTokenMetadata = new TokenMetadata();
+ updatedTokenMetadata.useTokenNow();
+ tokenStateService.addMetadata(tokenId, updatedTokenMetadata);
Review Comment:
I was going to ask the same, do we overwrite one specific metadata entry or
do we add new one at every usage?
Issue Time Tracking
-------------------
Worklog Id: (was: 903308)
Time Spent: 1h 10m (was: 1h)
> Implement Knox idle session time
> --------------------------------
>
> Key: KNOX-3005
> URL: https://issues.apache.org/jira/browse/KNOX-3005
> Project: Apache Knox
> Issue Type: New Feature
> Components: KnoxSSO
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> With the recent work of KNOX-2961, the new SSO token invalidation
> functionality, Knox could provide idle session timeout behavior for UIs.
> It will likely not include the usual UI pop-up approach (like when the
> end-user is informed about being idle too long), but it would effectively
> terminate idle SSO sessions and force an explicit login.
> It's also worth mentioning the idleness measurement solely depends on backend
> activities through the KnoxSSO Cookie federation filter. and will not take
> any client-side action (such as scrolling on the page, client-side
> pagination, etc..) into account.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
