Author: angela
Date: Mon Jun 15 11:06:54 2015
New Revision: 1685541
URL: http://svn.apache.org/r1685541
Log:
OAK-2992 : TokenProvider: Make reset of token expiration configurable
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenNoRefreshTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/AbstractTokenTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImplTest.java
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java
Mon Jun 15 11:06:54 2015
@@ -53,6 +53,10 @@ import org.apache.jackrabbit.oak.spi.sec
@Property(name = TokenProvider.PARAM_TOKEN_LENGTH,
label = "Token Length",
description = "Length of the generated token."),
+ @Property(name = TokenProvider.PARAM_TOKEN_REFRESH,
+ label = "Token Refresh",
+ description = "Enable/disable refresh of login tokens (i.e.
resetting the expiration time).",
+ boolValue = true),
@Property(name = UserConstants.PARAM_PASSWORD_HASH_ALGORITHM,
label = "Hash Algorithm",
description = "Name of the algorithm to hash the token.",
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
Mon Jun 15 11:06:54 2015
@@ -151,6 +151,7 @@ class TokenProviderImpl implements Token
* @return A new {@code TokenInfo} or {@code null} if the token could not
* be created.
*/
+ @CheckForNull
@Override
public TokenInfo createToken(@Nonnull Credentials credentials) {
SimpleCredentials sc = extractSimpleCredentials(credentials);
@@ -305,7 +306,7 @@ class TokenProviderImpl implements Token
return false;
} else {
return TOKENS_NODE_NAME.equals(tokenTree.getParent().getName()) &&
-
TOKEN_NT_NAME.equals(TreeUtil.getPrimaryTypeName(tokenTree));
+
TOKEN_NT_NAME.equals(TreeUtil.getPrimaryTypeName(tokenTree));
}
}
@@ -490,24 +491,27 @@ class TokenProviderImpl implements Token
@Override
public boolean resetExpiration(long loginTime) {
- Tree tokenTree = getTokenTree(this);
- if (tokenTree != null && tokenTree.exists()) {
- NodeUtil tokenNode = new NodeUtil(tokenTree);
- if (isExpired(loginTime)) {
- log.debug("Attempt to reset an expired token.");
- return false;
- }
+ // for backwards compatibility use true as default value for the
'tokenRefresh' configuration
+ if (options.getConfigValue(PARAM_TOKEN_REFRESH, true)) {
+ Tree tokenTree = getTokenTree(this);
+ if (tokenTree != null && tokenTree.exists()) {
+ NodeUtil tokenNode = new NodeUtil(tokenTree);
+ if (isExpired(loginTime)) {
+ log.debug("Attempt to reset an expired token.");
+ return false;
+ }
- if (expirationTime - loginTime <= tokenExpiration / 2) {
- try {
- long expTime = createExpirationTime(loginTime,
tokenExpiration);
- tokenNode.setDate(TOKEN_ATTRIBUTE_EXPIRY, expTime);
- root.commit(CommitMarker.asCommitAttributes());
- log.debug("Successfully reset token expiration time.");
- return true;
- } catch (CommitFailedException e) {
- log.debug("Failed to reset token expiration",
e.getMessage());
- root.refresh();
+ if (expirationTime - loginTime <= tokenExpiration / 2) {
+ try {
+ long expTime = createExpirationTime(loginTime,
tokenExpiration);
+ tokenNode.setDate(TOKEN_ATTRIBUTE_EXPIRY, expTime);
+ root.commit(CommitMarker.asCommitAttributes());
+ log.debug("Successfully reset token expiration
time.");
+ return true;
+ } catch (CommitFailedException e) {
+ log.debug("Failed to reset token expiration",
e.getMessage());
+ root.refresh();
+ }
}
}
}
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.java?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.java
Mon Jun 15 11:06:54 2015
@@ -41,6 +41,13 @@ public interface TokenProvider {
String PARAM_TOKEN_LENGTH = "tokenLength";
/**
+ * Optional configuration parameter to define if a given token should be
+ * refreshed or not. Implementations that do not support this option will
+ * ignore any config options with that name.
+ */
+ String PARAM_TOKEN_REFRESH = "tokenRefresh";
+
+ /**
* Returns {@code true} if the given credentials indicate that a new token
* needs to be issued.
*
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java
Mon Jun 15 11:06:54 2015
@@ -14,7 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-@Version("1.0")
+@Version("1.1.0")
@Export(optional = "provide:=true")
package org.apache.jackrabbit.oak.spi.security.authentication.token;
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/AbstractTokenTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/AbstractTokenTest.java?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/AbstractTokenTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/AbstractTokenTest.java
Mon Jun 15 11:06:54 2015
@@ -42,7 +42,7 @@ public abstract class AbstractTokenTest
root = adminSession.getLatestRoot();
tokenProvider = new TokenProviderImpl(root,
- ConfigurationParameters.EMPTY,
+ getTokenConfig(),
getUserConfiguration());
}
@@ -55,6 +55,10 @@ public abstract class AbstractTokenTest
}
}
+ ConfigurationParameters getTokenConfig() {
+ return ConfigurationParameters.EMPTY;
+ }
+
@CheckForNull
Tree getTokenTree(@Nonnull TokenInfo info) {
String token = info.getToken();
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImplTest.java?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImplTest.java
Mon Jun 15 11:06:54 2015
@@ -23,6 +23,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.junit.Test;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
public class TokenConfigurationImplTest extends AbstractSecurityTest {
@@ -38,7 +39,9 @@ public class TokenConfigurationImplTest
@Override
protected ConfigurationParameters getSecurityConfigParameters() {
- ConfigurationParameters config =
ConfigurationParameters.of(TokenProviderImpl.PARAM_TOKEN_EXPIRATION, 60);
+ ConfigurationParameters config = ConfigurationParameters.of(
+ TokenProvider.PARAM_TOKEN_EXPIRATION, 60,
+ TokenProvider.PARAM_TOKEN_REFRESH, true);
return ConfigurationParameters.of(TokenConfiguration.NAME, config);
}
@@ -53,4 +56,10 @@ public class TokenConfigurationImplTest
int exp =
getConfig(TokenConfiguration.class).getParameters().getConfigValue(TokenProvider.PARAM_TOKEN_EXPIRATION,
DEFAULT_EXPIRATION);
assertEquals(60, exp);
}
+
+ @Test
+ public void testRefresh() {
+ boolean refresh =
getConfig(TokenConfiguration.class).getParameters().getConfigValue(TokenProvider.PARAM_TOKEN_REFRESH,
false);
+ assertTrue(refresh);
+ }
}
\ No newline at end of file
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenNoRefreshTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenNoRefreshTest.java?rev=1685541&view=auto
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenNoRefreshTest.java
(added)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenNoRefreshTest.java
Mon Jun 15 11:06:54 2015
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authentication.token;
+
+import java.util.Collections;
+import java.util.Date;
+
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
+import
org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+
+public class TokenNoRefreshTest extends AbstractTokenTest {
+
+ private String userId;
+
+ @Override
+ public void before() throws Exception {
+ super.before();
+ userId = getTestUser().getID();
+ }
+
+ @Override
+ ConfigurationParameters getTokenConfig() {
+ return ConfigurationParameters.of(TokenProvider.PARAM_TOKEN_REFRESH,
false);
+ }
+
+ @Test
+ public void testNotReset() {
+ TokenInfo info = tokenProvider.createToken(userId,
Collections.<String, Object>emptyMap());
+
+ assertNotNull(info);
+ assertFalse(info.resetExpiration(new Date().getTime()));
+
+ long loginTime = new Date().getTime() + 3600000;
+ assertFalse(info.resetExpiration(loginTime));
+ }
+}
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1685541&r1=1685540&r2=1685541&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
Mon Jun 15 11:06:54 2015
@@ -102,6 +102,14 @@ will be removed if the authentication fa
The default `TokenProvider` implementation will automatically reset the
expiration
time of a given token upon successful authentication.
+This behavior can be disabled by setting the `tokenRefresh` configuration
parameter
+to `false` (see `PARAM_TOKEN_REFRESH` below). In this case expiration time will
+not be reset and an attempt to do so using the API (e.g. calling `
+TokenInfo.resetExpiration(long loginTime)`) will return `false` indicating
+that the expiration time has not been reset. The token will consequently expire
+and the user will need to login again using the configured default login
+mechanism (e.g. using `SimpleCredentials`).
+
#### Token Representation in the Repository
##### Content Structure
@@ -211,6 +219,7 @@ plugged at runtime.
|-------------------------------------|---------|--------------------------|
| PARAM_TOKEN_EXPIRATION | long | 2 * 3600 * 1000 (2 hours)|
| PARAM_TOKEN_LENGTH | int | 8 |
+| PARAM_TOKEN_REFRESH | boolean | true |
| | | |
