[
https://issues.apache.org/jira/browse/KNOX-2266?focusedWorklogId=400478&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-400478
]
ASF GitHub Bot logged work on KNOX-2266:
----------------------------------------
Author: ASF GitHub Bot
Created on: 10/Mar/20 00:53
Start Date: 10/Mar/20 00:53
Worklog Time Spent: 10m
Work Description: moresandeep commented on pull request #284: KNOX-2266 -
Tokens Should Include a Unique Identifier
URL: https://github.com/apache/knox/pull/284#discussion_r390034382
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
##########
@@ -184,33 +195,22 @@ public long renewToken(final String token, long
renewInterval) throws UnknownTok
@Override
public void revokeToken(final JWTToken token) throws UnknownTokenException {
if (token == null) {
- throw new IllegalArgumentException("Token data cannot be null.");
+ throw new IllegalArgumentException("Token identifier cannot be null.");
}
- revokeToken(token.getPayload());
+ revokeToken(TokenUtils.getTokenId(token));
}
@Override
- public void revokeToken(final String token) throws UnknownTokenException {
+ public void revokeToken(final String tokenId) throws UnknownTokenException {
/* no reason to keep revoked tokens around */
- removeToken(token);
- log.revokedToken(TokenUtils.getTokenDisplayText(token));
+ removeToken(tokenId);
+ log.revokedToken(tokenId);
}
@Override
public boolean isExpired(final JWTToken token) throws UnknownTokenException {
- return isExpired(token.getPayload());
- }
-
- @Override
- public boolean isExpired(final String token) throws UnknownTokenException {
- boolean isExpired;
- isExpired = isUnknown(token); // Check if the token exist
- if (!isExpired) {
- // If it not unknown, check its expiration
- isExpired = (getTokenExpiration(token) <= System.currentTimeMillis());
- }
- return isExpired;
+ return getTokenExpiration(token) <= System.currentTimeMillis();
Review comment:
This method would throw `UnknownTokenException` if a token is not found.
Exceptions are expensive (filling up stack trace and unwinding it every time it
is passed to a new method) so should `getTokenExpiration(token)` return some
negative value instead?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 400478)
Time Spent: 20m (was: 10m)
> Tokens Should Include a Unique Identifier
> -----------------------------------------
>
> Key: KNOX-2266
> URL: https://issues.apache.org/jira/browse/KNOX-2266
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Fix For: 1.4.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> It has recently been discovered that the Knox Token service will issue
> duplicate tokens to clients making concurrent requests separated by
> milliseconds or less. This is due to the nimbus JWT library truncating
> expiration times to units of seconds.
> For many use cases, this is probably not an issue. However, as soon a support
> for token renewal and revocation is enabled, there is the potential for
> actions intended for one client's token to have unexpected effects on other
> client's tokens. This problem is potentially exacerbated in HA Knox
> deployments, whereby multiple Knox instances can receive simultaneous
> requests for tokens.
> These issued tokens must be unique.
> The inclusion of a private claim, the value of which is a UUID, would yield
> such unique tokens.
> An additional advantage of this is that the TokenStateService can use these
> UUIDs instead of the Base64-encoded tokens themselves as keys for the
> associated state. This will alleviate some limitations associated with the
> implementations of this service (e.g., Java keystore lower-cases aliases).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
