smolnar82 commented on code in PR #839:
URL: https://github.com/apache/knox/pull/839#discussion_r1475663053
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest
request, final HttpServ
return false;
}
- private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
- final TokenMetadata tokenMetadata = tokenStateService == null ? null :
tokenStateService.getTokenMetadata(tokenId);
+ private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws
UnknownTokenException {
return tokenMetadata == null ? true : tokenMetadata.isEnabled();
}
+ private boolean isNotIdle(TokenMetadata tokenMetadata) throws
UnknownTokenException {
+ if (idleTimeoutSeconds > 0) {
+ final Instant lastUsedAt = tokenMetadata == null ? null :
tokenMetadata.getLastUsedAt();
+ final Instant idleTimeoutLimit = lastUsedAt == null ? null :
lastUsedAt.plusSeconds(idleTimeoutSeconds);
+ return idleTimeoutLimit == null ? true :
(tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now()));
+ }
+ return true; // no idle timeout is configured -> ignore idleness check
+ }
+
+ private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata)
throws UnknownTokenException {
+ if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) {
+ // to avoid updating every single metadata value, we create a new token
metadata
+ // instance only with the updated "LAST_USED_AT" information
+ final TokenMetadata updatedTokenMetadata = new TokenMetadata();
+ updatedTokenMetadata.useTokenNow();
+ tokenStateService.addMetadata(tokenId, updatedTokenMetadata);
Review Comment:
Yes, that was the design decision back in time when I added the
`knox_token_metadata` table (see #447 ):
```
CREATE TABLE IF NOT EXISTS KNOX_TOKEN_METADATA ( -- IF NOT EXISTS syntax is
not supported by Derby
token_id varchar(128) NOT NULL,
md_name varchar(32) NOT NULL,
md_value varchar(256) NOT NULL,
PRIMARY KEY (token_id, md_name),
CONSTRAINT fk_token_id FOREIGN KEY(token_id) REFERENCES
KNOX_TOKENS(token_id) ON DELETE CASCADE
)
```
This is why we do not need to worry about schema changes between versions.
Currently, the following metadata is known: `userName`, `comment`,
`enabled`, `passcode`, `createdBy`, `knoxSSOCookie`, and now `lastUsedAt`. But
these are only what is known to Knox.
Please note that end-users [may add arbitrary
metadata](https://issues.apache.org/jira/browse/KNOX-2712) using the KNOXTOKEN
API.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
