[
https://issues.apache.org/jira/browse/OAK-6818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Deparvu updated OAK-6818:
------------------------------
Fix Version/s: 1.7.12
> TokenAuthentication/TokenProviderImpl: cleanup expired tokens
> -------------------------------------------------------------
>
> Key: OAK-6818
> URL: https://issues.apache.org/jira/browse/OAK-6818
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: core, security
> Reporter: angela
> Assignee: angela
> Fix For: 1.8, 1.7.12
>
> Attachments: OAK-6818-osgi-test.patch, OAK-6818.patch
>
>
> During token based authentication a given token node gets removed if it is
> found to have expired in the mean time:
> Extract from {{TokenAuthentication.validateCredentials(TokenCredentials)}} as
> it works today:
> {code}
> [...]
> if (tokenInfo.isExpired(loginTime)) {
> tokenInfo.remove();
> return false;
> }
> [...]
> {code}
> However, this doesn't cope with those cases where expired tokens are being
> left behind without ever being caught by cleanup (e.g. new token issued and
> never try to login with expired token). So, this issue is about an extension
> that would allow to somehow/somewhen cleanup those tokens during
> authentication. In order not to cause extra overhead to the login we should
> set a limit (e.g. number of token nodes) that would only trigger the cleanup
> every now and then and not doing it all the time.
> What also needs to be clarified/investigated: would cleanup only be triggered
> in case of a failure?
> cc: [~stillalex], [~tmueller], [~chetanm], [~asanso]
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
