You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Owen Nichols (Jira)" <ji...@apache.org> on 2022/06/22 20:47:04 UTC

[jira] [Closed] (GEODE-10243) Old clients with durable queues should fail early if AuthenticationExpiredException is thrown

     [ https://issues.apache.org/jira/browse/GEODE-10243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen Nichols closed GEODE-10243.
--------------------------------

> Old clients with durable queues should fail early if AuthenticationExpiredException is thrown
> ---------------------------------------------------------------------------------------------
>
>                 Key: GEODE-10243
>                 URL: https://issues.apache.org/jira/browse/GEODE-10243
>             Project: Geode
>          Issue Type: Improvement
>          Components: client queues
>            Reporter: Dan Smith
>            Assignee: Jinmei Liao
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.15.0
>
>
> As part of the changes for GEODE-9457, when an AuthenticationExpiredException is thrown from the SecurityManager during message dispatching, we send a message to 1.15 and newer clients asking them to re-authenticate.
> For 1.14 and older clients, we do not send a message. Instead, we just wait for the {color:#00875a}reauthenticate.wait.time{color} to elapse and then close the connection.
> The net effect of this is that if users are doing cache operations from 1.14 and older clients, and their SecurityManager expires the credentials of the old clients, they will sometimes see their clients re-authenticate themselves in that time window. This will mislead users into thinking that re-authentication works with old clients and client queues, even though we [have documented that we don't support it|https://github.com/apache/geode/blob/09b8b46ef2fa1d463be885c6fa39dbfe1f0e3e83/geode-docs/managing/security/implementing_authentication_expiry.html.md.erb#L35].
> Instead of allowing re-authentication to sometimes work in this unsupported use case, we should always fail so that is clear to users that this use case is not supported.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)