[ https://issues.apache.org/jira/browse/OAK-3275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058447#comment-15058447 ]
Konrad Windszus commented on OAK-3275: -------------------------------------- That would be another possibility, but such a patch must also consider OAK-3274 then, because even with the additional property to store the last member sync the membership expiration time cannot be shorter than the user expiration time. > DefaultSyncConfig: User membership expiration time not working under some > circumstances > --------------------------------------------------------------------------------------- > > Key: OAK-3275 > URL: https://issues.apache.org/jira/browse/OAK-3275 > Project: Jackrabbit Oak > Issue Type: Bug > Components: auth-external > Affects Versions: 1.3.5 > Reporter: Konrad Windszus > > Currently the user expiration and the user membership expiration can be set > independently of each other in the OSGi configuration for the > {{DefaultSyncConfigImpl}}. > In reality this is not true though: > Not only can the membership not be updated more often than the other user > properties (compare with OAK-3274). > Also the property which is used to mark the last successfull sync is the same > for both synchronisations > (https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L433 > and > https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L422). > That is a problem if e.g. the user expiration time is 10 minutes but the user > membership expiration time is 1 hour. Then every 10 minutes the property > {{rep:lastSynced}} would be updated to the current time and the expiration > check for the membership expiration would never return true > (https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L433). > Therefore memberships would never be updated! > I suggest to completely get rid of user membership expiration time and only > have one expiration time for both the user properties and the memberships. -- This message was sent by Atlassian JIRA (v6.3.4#6332)