[ https://issues.apache.org/jira/browse/KNOX-3005?focusedWorklogId=903129&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-903129 ]
ASF GitHub Bot logged work on KNOX-3005: ---------------------------------------- Author: ASF GitHub Bot Created on: 01/Feb/24 16:55 Start Date: 01/Feb/24 16:55 Worklog Time Spent: 10m Work Description: pzampino commented on code in PR #839: URL: https://github.com/apache/knox/pull/839#discussion_r1474771285 ########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java: ########## @@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest request, final HttpServ return false; } - private boolean isTokenEnabled(String tokenId) throws UnknownTokenException { - final TokenMetadata tokenMetadata = tokenStateService == null ? null : tokenStateService.getTokenMetadata(tokenId); + private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws UnknownTokenException { return tokenMetadata == null ? true : tokenMetadata.isEnabled(); } + private boolean isNotIdle(TokenMetadata tokenMetadata) throws UnknownTokenException { Review Comment: I think isNotIdleLimitExceeded(tokenMetadata) (or something similar) might be a more accurate method name. If we're getting a request, the client is not currently idle. Actually, I would prefer to avoid the negative perspective, using hasIdleLimitExpired(tokenMetadata) and then !hasIdleLimitExpired(tokenMetadata) in it use. This is all a rather small point though, and perhaps not worth worrying about. ########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java: ########## @@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest request, final HttpServ return false; } - private boolean isTokenEnabled(String tokenId) throws UnknownTokenException { - final TokenMetadata tokenMetadata = tokenStateService == null ? null : tokenStateService.getTokenMetadata(tokenId); + private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws UnknownTokenException { return tokenMetadata == null ? true : tokenMetadata.isEnabled(); } + private boolean isNotIdle(TokenMetadata tokenMetadata) throws UnknownTokenException { + if (idleTimeoutSeconds > 0) { + final Instant lastUsedAt = tokenMetadata == null ? null : tokenMetadata.getLastUsedAt(); + final Instant idleTimeoutLimit = lastUsedAt == null ? null : lastUsedAt.plusSeconds(idleTimeoutSeconds); + return idleTimeoutLimit == null ? true : (tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now())); + } + return true; // no idle timeout is configured -> ignore idleness check + } + + private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata) throws UnknownTokenException { + if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) { + // to avoid updating every single metadata value, we create a new token metadata + // instance only with the updated "LAST_USED_AT" information + final TokenMetadata updatedTokenMetadata = new TokenMetadata(); + updatedTokenMetadata.useTokenNow(); + tokenStateService.addMetadata(tokenId, updatedTokenMetadata); Review Comment: Does this mean there are multiple metadata entries for the same token in the state store? ########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java: ########## @@ -104,4 +104,11 @@ public interface JWTMessages { @Message( level = MessageLevel.WARN, text = "Invalid SSO cookie found! Cleaning up..." ) void invalidSsoCookie(); + + @Message( level = MessageLevel.WARN, text = "User with SSO token {0} exceeded the configured idle timeout of {1} seconds." ) Review Comment: Is it possible to include the principal name here for easier correlation to the user? Issue Time Tracking ------------------- Worklog Id: (was: 903129) Time Spent: 20m (was: 10m) > Implement Knox idle session time > -------------------------------- > > Key: KNOX-3005 > URL: https://issues.apache.org/jira/browse/KNOX-3005 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO > Affects Versions: 2.1.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With the recent work of KNOX-2961, the new SSO token invalidation > functionality, Knox could provide idle session timeout behavior for UIs. > It will likely not include the usual UI pop-up approach (like when the > end-user is informed about being idle too long), but it would effectively > terminate idle SSO sessions and force an explicit login. > It's also worth mentioning the idleness measurement solely depends on backend > activities through the KnoxSSO Cookie federation filter. and will not take > any client-side action (such as scrolling on the page, client-side > pagination, etc..) into account. -- This message was sent by Atlassian Jira (v8.20.10#820010)