You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2017/08/16 08:42:00 UTC
[jira] [Comment Edited] (QPID-7034) Inactive web management console
session not automatically timed-out
[ https://issues.apache.org/jira/browse/QPID-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16128492#comment-16128492 ]
Keith Wall edited comment on QPID-7034 at 8/16/17 8:41 AM:
-----------------------------------------------------------
The change made allows an absolute expiry to be applied to a *HTTP session*, which I think is sufficient to answer the immediate requirement.
However, it strikes me that the current model is not ideal. I think in the long term the constraint needs to be applied equally to both interactive HTTP management sessions and AMQP management sessions. Also for use-cases where the virtualhost is the unit being managed, the configuration should be shared amongst the nodes of the group and be applied no matter where the current mastership resides, without the need to keep Broker configuration is synch.
Perhaps the Broker model should allow constraints such as these to be associated with a profile. Profiles would then be associated with a group and applied as users logon. Profiles would need to children of both Broker and Virtualhost. Typical configuration might be that an operator group would have a profile with an absoluteSessionTimeout of say 30mins. The profile associated with an application messaging group might have no absoluteSessionTimeout at all.
was (Author: k-wall):
The change made allows an absolute expiry to be applied to a *HTTP session*, which I think is sufficient to answer the immediate requirement.
However, it strikes me that the current model is not ideal. I think in the long term the constraint needs to be applied equally to both interactive HTTP management sessions and AMQP management sessions. Also for use-cases where the virtualhost is the unit being managed, the configuration should be shared amongst the nodes of the group and be applied no matter where the current mastership resides, without the need to keep Broker configuration is synch.
Perhaps the Broker model should allow constraints such as these to be associated with a profile. Profiles would then be associated with a group and applied as users logon. Profiles would need to children of both Broker and Virtualhost. Typical configuration might be that an operator group had a profile with an absoluteSessionTimeout of say 30mins. The profile associated with an application messaging group might have no absoluteSessionTimeout at all.
> Inactive web management console session not automatically timed-out
> -------------------------------------------------------------------
>
> Key: QPID-7034
> URL: https://issues.apache.org/jira/browse/QPID-7034
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-broker-7.0.0
>
>
> If as an operator, I have an session open on the web management console, the session should expire and I should be forced to reauthenticate if I don't use the application for a period of time.
> This currently doesn't happen. Web Management correctly establishes a HTTP session timeout, but the session is kept alive by the regular polls the client side makes to the server. This is sufficient to keep the session alive and means the user is never automatically logged out.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org