[
https://issues.apache.org/jira/browse/KNOX-2266?focusedWorklogId=400523&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-400523
]
ASF GitHub Bot logged work on KNOX-2266:
----------------------------------------
Author: ASF GitHub Bot
Created on: 10/Mar/20 02:35
Start Date: 10/Mar/20 02:35
Worklog Time Spent: 10m
Work Description: pzampino commented on pull request #284: KNOX-2266 -
Tokens Should Include a Unique Identifier
URL: https://github.com/apache/knox/pull/284#discussion_r390063658
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
##########
@@ -97,48 +94,62 @@ public long getDefaultMaxLifetimeDuration() {
@Override
public void addToken(final JWTToken token, long issueTime) {
if (token == null) {
- throw new IllegalArgumentException("Token data cannot be null.");
+ throw new IllegalArgumentException("Token cannot be null.");
}
- addToken(token.getPayload(), issueTime, token.getExpiresDate().getTime());
+ addToken(TokenUtils.getTokenId(token), issueTime,
token.getExpiresDate().getTime());
}
@Override
- public void addToken(final String token, long issueTime, long expiration) {
- addToken(token, issueTime, expiration, getDefaultMaxLifetimeDuration());
+ public void addToken(final String tokenId, long issueTime, long expiration) {
+ addToken(tokenId, issueTime, expiration, getDefaultMaxLifetimeDuration());
}
@Override
- public void addToken(final String token,
- long issueTime,
- long expiration,
- long maxLifetimeDuration) {
- if (!isValidIdentifier(token)) {
- throw new IllegalArgumentException("Token data cannot be null.");
+ public void addToken(final String tokenId,
+ long issueTime,
+ long expiration,
+ long maxLifetimeDuration) {
+ if (!isValidIdentifier(tokenId)) {
+ throw new IllegalArgumentException("Token identifier cannot be null.");
}
synchronized (tokenExpirations) {
- tokenExpirations.put(token, expiration);
+ tokenExpirations.put(tokenId, expiration);
}
- setMaxLifetime(token, issueTime, maxLifetimeDuration);
- log.addedToken(TokenUtils.getTokenDisplayText(token),
getTimestampDisplay(expiration));
+ setMaxLifetime(tokenId, issueTime, maxLifetimeDuration);
+ log.addedToken(tokenId, getTimestampDisplay(expiration));
}
@Override
- public long getTokenExpiration(final String token) throws
UnknownTokenException {
- long expiration;
-
+ public long getTokenExpiration(final JWT token) throws UnknownTokenException
{
+ long expiration = -1;
try {
- validateToken(token);
- } catch (final UnknownTokenException e) {
- /* if token permissiveness is enabled we check JWT token expiration when
the token state is unknown */
- if (permissiveValidationEnabled &&
getJWTTokenExpiration(token).isPresent()) {
- return getJWTTokenExpiration(token).getAsLong();
- } else {
+ expiration = getTokenExpiration(TokenUtils.getTokenId(token));
+ } catch (UnknownTokenException e) {
+ if (permissiveValidationEnabled) {
+ String exp = token.getExpires();
+ if (exp != null) {
+ log.permissiveTokenHandling(TokenUtils.getTokenId(token),
e.getMessage());
+ expiration = Long.parseLong(exp);
+ }
+ }
+
+ if (expiration == -1) {
Review comment:
If that code means (-1 = now), that seems quite strange to me, and I don't
think Knox tokens require such a convention.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 400523)
Time Spent: 1.5h (was: 1h 20m)
> Tokens Should Include a Unique Identifier
> -----------------------------------------
>
> Key: KNOX-2266
> URL: https://issues.apache.org/jira/browse/KNOX-2266
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Fix For: 1.4.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> It has recently been discovered that the Knox Token service will issue
> duplicate tokens to clients making concurrent requests separated by
> milliseconds or less. This is due to the nimbus JWT library truncating
> expiration times to units of seconds.
> For many use cases, this is probably not an issue. However, as soon a support
> for token renewal and revocation is enabled, there is the potential for
> actions intended for one client's token to have unexpected effects on other
> client's tokens. This problem is potentially exacerbated in HA Knox
> deployments, whereby multiple Knox instances can receive simultaneous
> requests for tokens.
> These issued tokens must be unique.
> The inclusion of a private claim, the value of which is a UUID, would yield
> such unique tokens.
> An additional advantage of this is that the TokenStateService can use these
> UUIDs instead of the Base64-encoded tokens themselves as keys for the
> associated state. This will alleviate some limitations associated with the
> implementations of this service (e.g., Java keystore lower-cases aliases).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
