-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow session idle timeout to be configured on authentication. #10511
Conversation
Allow session idle timeout to be configured on authentication. Signed-off-by: gregw <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to allow users to be able to set authenticated sessions as immortal.
@@ -68,7 +68,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti | |||
private final Map<String, String> _initParameters = new HashMap<>(); | |||
private LoginService _loginService; | |||
private IdentityService _identityService; | |||
private boolean _renewSession = true; | |||
private boolean _renewSessionOnAuthentication = true; | |||
private int _sessionMaxInactiveIntervalOnAuthentication = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think a default of 0 is a good idea. If it is not set, then sessions that were previously configured - either programmatically or via web.xml - to timeout after x minutes are suddenly immortal after authentication.
Ooops, commented too soon. Now I've read the LoginAuthenticator
code and it's the other way around: you can't cause sessions to become immortal after being authenticated. Immortality is indicated by a timeout <= 0, but you're only setting the maxInactiveInterval iff it's > 0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated so that non-zero values are set on authentication, so we can now make a session immortal on authentication with a value of -1.
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
Outdated
Show resolved
Hide resolved
jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java
Show resolved
Hide resolved
jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
Show resolved
Hide resolved
jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
Show resolved
Hide resolved
jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
Show resolved
Hide resolved
jetty-security/src/main/java/org/eclipse/jetty/security/WrappedAuthConfiguration.java
Show resolved
Hide resolved
Signed-off-by: gregw <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But delete the commented out lines of code, and maybe consider consistent naming of the fields as per my comments. Extra combination of test cases would be good, but (hopefully) not critical :)
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
Outdated
Show resolved
Hide resolved
jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
Outdated
Show resolved
Hide resolved
jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
Outdated
Show resolved
Hide resolved
jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
Show resolved
Hide resolved
Signed-off-by: gregw <[email protected]>
Allow session idle timeout to be configured on authentication.