You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/08/26 07:53:00 UTC
[jira] [Commented] (KNOX-2790) Split ConcurrentSessionVerifier.verifySessionForUser
[ https://issues.apache.org/jira/browse/KNOX-2790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17585206#comment-17585206 ]
ASF subversion and git services commented on KNOX-2790:
-------------------------------------------------------
Commit 71e073fbf94bbeeb62ad087f90a9e4968aac107e in knox's branch refs/heads/master from MrtnBalazs
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=71e073fbf ]
KNOX-2790 - Added a new funtion to verifier, this way the session lim… (#624)
> Split ConcurrentSessionVerifier.verifySessionForUser
> ----------------------------------------------------
>
> Key: KNOX-2790
> URL: https://issues.apache.org/jira/browse/KNOX-2790
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Balazs Marton
> Priority: Critical
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:
> * verifies the user if he/she is allowed to have another session
> * registers the given token into the concurrentSessionCounter map
> These 2 functionalities should be split:
> * boolean verifySessionForUser(String userName);
> * void registerToken(String userName, JWT token);
> With this split, in WebSSOResource, the session verification can be done before the token is actually created and token registration can be done after. It's important because it might be a security leak to generate tokens in advance that will not be used at all but, in case of token management is enabled, may fill up the disk/memory with unused tokens.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)