[ https://issues.apache.org/jira/browse/OAK-3274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143115#comment-15143115 ]
angela commented on OAK-3274: ----------------------------- [~kwin], i had a quick look at {{DefaultSyncContext}} and from my understanding there are 2 conditions that may lead to to the user sync and the conditional membership-sync at the end of the call: - {{forceUserSync}} => public setter on the {{DefaultSyncContext}} - configured expiration time of the user In the former case the user will be synchronized and the membership-expiration time is actually needed to prevent eager group-membership synchronization... in this case it actually might have a value that is less than the {{user.expirationTime}}. > DefaultSyncConfigImpl: add information to "user.membershipExpTime" about > minimum expiration time > ------------------------------------------------------------------------------------------------ > > Key: OAK-3274 > URL: https://issues.apache.org/jira/browse/OAK-3274 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external > Affects Versions: 1.3.5 > Reporter: Konrad Windszus > Priority: Trivial > > The {{user.membershipExpTime}} property cannot have a value which is less > than the value of the {{user.expirationTime}}. Please add this information to > the OSGi property description. Otherwise it is hard to debug issues here. > The reason why {{user.expirationTime}} must be less or equal to > {{user.membershipExpTime}} is in > https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L421. > Since {{syncMembership}} is only called after the {{user.expirationTime}} > guard, it cannot be updated more often than the user itself. -- This message was sent by Atlassian JIRA (v6.3.4#6332)