[KNOX-2790] Split ConcurrentSessionVerifier.verifySessionForUser - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: Server
Labels:
None

Description

Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:

verifies the user if he/she is allowed to have another session
registers the given token into the concurrentSessionCounter map

These 2 functionalities should be split:

boolean verifySessionForUser(String userName);
void registerToken(String userName, JWT token);

With this split, in WebSSOResource, the session verification can be done before the token is actually created and token registration can be done after. It's important because it might be a security leak to generate tokens in advance that will not be used at all but, in case of token management is enabled, may fill up the disk/memory with unused tokens.

Attachments

Issue Links

links to

GitHub Pull Request #624

Activity

People

Assignee:: Marton Balázs

Reporter:: Sandor Molnar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Aug/22 10:46

Updated:: 26/Aug/22 07:54

Resolved:: 26/Aug/22 07:54

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

50m