angela created OAK-6818:
---------------------------
Summary: TokenAuthentication/TokenProviderImpl: cleanup expired
tokens
Key: OAK-6818
URL: https://issues.apache.org/jira/browse/OAK-6818
Project: Jackrabbit Oak
Issue Type: New Feature
Components: core, security
Reporter: angela
Assignee: angela
During token based authentication a given token node gets removed if it is
found to have expired in the mean time:
Extract from {{TokenAuthentication.validateCredentials(TokenCredentials)}} as
it works today:
{code}
[...]
if (tokenInfo.isExpired(loginTime)) {
tokenInfo.remove();
return false;
}
[...]
{code}
However, this doesn't cope with those cases where expired tokens are being left
behind without ever being caught by cleanup (e.g. new token issued and never
try to login with expired token). So, this issue is about an extension that
would allow to somehow/somewhen cleanup those tokens during authentication. In
order not to cause extra overhead to the login we should set a limit (e.g.
number of token nodes) that would only trigger the cleanup every now and then
and not doing it all the time.
What also needs to be clarified/investigated: would cleanup only be triggered
in case of a failure?
cc: [~stillalex], [~tmueller], [~chetanm], [~asanso]
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
