You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Thomas Mueller (JIRA)" <ji...@apache.org> on 2017/10/12 11:45:00 UTC

[jira] [Commented] (OAK-6818) TokenAuthentication/TokenProviderImpl: cleanup expired tokens

    [ https://issues.apache.org/jira/browse/OAK-6818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16201830#comment-16201830 ] 

Thomas Mueller commented on OAK-6818:
-------------------------------------

To avoid doing cleanup if there are no or (likely) only few entries: 

* Ensure cleanup is run once every 2 hours, by setting a property "lastCleanup".
* When adding a token, with a low probability do the cleanup. For that, get the hash of the token, and do cleanup if {{(hash & 0xfff) == 0}} (for probability 1/4096).


> TokenAuthentication/TokenProviderImpl: cleanup expired tokens
> -------------------------------------------------------------
>
>                 Key: OAK-6818
>                 URL: https://issues.apache.org/jira/browse/OAK-6818
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>             Fix For: 1.8
>
>
> During token based authentication a given token node gets removed if it is found to have expired in the mean time:
> Extract from {{TokenAuthentication.validateCredentials(TokenCredentials)}} as it works today:
> {code}
>        [...]
>         if (tokenInfo.isExpired(loginTime)) {
>             tokenInfo.remove();
>             return false;
>         }
>        [...]
> {code}
> However, this doesn't cope with those cases where expired tokens are being left behind without ever being caught by cleanup (e.g. new token issued and never try to login with expired token). So, this issue is about an extension that would allow to somehow/somewhen cleanup those tokens during authentication. In order not to cause extra overhead to the login we should set a limit (e.g. number of token nodes) that would only trigger the cleanup every now and then and not doing it all the time.
> What also needs to be clarified/investigated: would cleanup only be triggered in case of a failure?
> cc: [~stillalex], [~tmueller], [~chetanm], [~asanso]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)