[jira] [Commented] (OAK-6818) TokenAuthentication/TokenProviderImpl: cleanup expired tokens

Wed, 22 Nov 2017 03:33:23 -0800 

    [ 
https://issues.apache.org/jira/browse/OAK-6818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16262351#comment-16262351
 ] 

angela commented on OAK-6818:
-----------------------------

[~stillalex], oh... thanks.
for the record what we discussed just in private: we agreed that we want to 
keep the threshold in order to avoid be able to somehow control the clean 
despite the additional randomness that might cause questions about cleanup not 
being triggered despite the treshold being reached.

do you want to commit the patch? I would then adjust the documentation at 
http://jackrabbit.apache.org/oak/docs/security/authentication/token/default.html.


> TokenAuthentication/TokenProviderImpl: cleanup expired tokens
> -------------------------------------------------------------
>
>                 Key: OAK-6818
>                 URL: https://issues.apache.org/jira/browse/OAK-6818
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>             Fix For: 1.8
>
>         Attachments: OAK-6818-osgi-test.patch, OAK-6818.patch
>
>
> During token based authentication a given token node gets removed if it is 
> found to have expired in the mean time:
> Extract from {{TokenAuthentication.validateCredentials(TokenCredentials)}} as 
> it works today:
> {code}
>        [...]
>         if (tokenInfo.isExpired(loginTime)) {
>             tokenInfo.remove();
>             return false;
>         }
>        [...]
> {code}
> However, this doesn't cope with those cases where expired tokens are being 
> left behind without ever being caught by cleanup (e.g. new token issued and 
> never try to login with expired token). So, this issue is about an extension 
> that would allow to somehow/somewhen cleanup those tokens during 
> authentication. In order not to cause extra overhead to the login we should 
> set a limit (e.g. number of token nodes) that would only trigger the cleanup 
> every now and then and not doing it all the time.
> What also needs to be clarified/investigated: would cleanup only be triggered 
> in case of a failure?
> cc: [~stillalex], [~tmueller], [~chetanm], [~asanso]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to