[jira] [Commented] (SLING-8869) SimpleHttpDistributionTransport does not refresh the secret for token based implementations.

Mon, 02 Dec 2019 22:27:21 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-8869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16986649#comment-16986649
 ] 

Ashish Chopra commented on SLING-8869:
--------------------------------------

[~mohiaror], IIUC the patch, once the secret is associated with an {{Executor}} 
created via a call to {{buildAuthExecutor}}, it is being inserted in a map 
named {{contextKeyExecutor}}. Upon the next invocation of {{getExecutor}}, that 
map is queried first _irrespective_ of whether {{DistributionTransportSecret}} 
was refreshed or not; if found in the Map, the executor is being reused with 
(possibly stale) secret.
It is not immediately obvious to me how the executor with stale secret is being 
evicted in [^SLING-8869.patch]. I'm likely missing something obvious here - can 
you please explain?

> SimpleHttpDistributionTransport does not refresh the secret for token based 
> implementations.
> --------------------------------------------------------------------------------------------
>
>                 Key: SLING-8869
>                 URL: https://issues.apache.org/jira/browse/SLING-8869
>             Project: Sling
>          Issue Type: Bug
>          Components: Content Distribution
>            Reporter: Mohit Arora
>            Priority: Major
>             Fix For: Content Distribution Core 0.4.2
>
>         Attachments: SLING-8869.patch
>
>
> While saving the \{{contextKeyExecutor}} in \{{DistributionTransportContext}} 
> map, it is not expected that the secret associated with the executor could be 
> expired. This can happen in case of access token based implementations where 
> the token is expired after a certain period of time and has to be refreshed.
> The code to refresh the token is written in the secret provider but since the 
> executor is [cached in the 
> map|[https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/transport/impl/SimpleHttpDistributionTransport.java#L208]]
>  the secrets are not refreshed. It works fine for credentials based secret 
> provider but not for access token based.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to