[
https://issues.apache.org/jira/browse/OAK-3275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058436#comment-15058436
]
Tobias Bocanegra commented on OAK-3275:
---------------------------------------
I don't know if we really should remove this and not better fix the issue. if
the nesting depth is larger and the amount of groups to sync is substantial, it
makes sense to have a longer or (even disabled) membership sync. so we'd rather
add another property to the authorizable, eg: {{rep:lastSyncedMembers}}.
a minor issue to this patch is, that it does remove and not deprecate the
config methods, making it not backward compatible.
> DefaultSyncConfig: User membership expiration time not working under some
> circumstances
> ---------------------------------------------------------------------------------------
>
> Key: OAK-3275
> URL: https://issues.apache.org/jira/browse/OAK-3275
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.3.5
> Reporter: Konrad Windszus
>
> Currently the user expiration and the user membership expiration can be set
> independently of each other in the OSGi configuration for the
> {{DefaultSyncConfigImpl}}.
> In reality this is not true though:
> Not only can the membership not be updated more often than the other user
> properties (compare with OAK-3274).
> Also the property which is used to mark the last successfull sync is the same
> for both synchronisations
> (https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L433
> and
> https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L422).
> That is a problem if e.g. the user expiration time is 10 minutes but the user
> membership expiration time is 1 hour. Then every 10 minutes the property
> {{rep:lastSynced}} would be updated to the current time and the expiration
> check for the membership expiration would never return true
> (https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L433).
> Therefore memberships would never be updated!
> I suggest to completely get rid of user membership expiration time and only
> have one expiration time for both the user properties and the memberships.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
