-
Type:
Improvement
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Nuxeo Drive
-
Tags:
-
Backlog priority:400
When Nuxeo is configured in with <stateful>true</stateful> basic auth authenticationPlugin to the org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService authenticators extension point, a JSESSIONID cookie is set and the principal cache of the NuxeoAuthenticationFilter prevents the drive client requests from being rejected with a 401 error as expected. This cache implementation relies upon the Servlet HTTP sessions.
As drive client connects every 5s (by default) the HTTP session will never expire as long as the drive client internet connection is up. Hence the token revocation will only be effective as soon as the drive client laptop goes to sleep or the wifi connection goes down (for instance).
To solve this delay token revocation effect issue we could try to invalidate the NuxeoAuthenticationFilter cache by finding all the active HTTP sessions for the user for which the token is revoked. However this won't be easy to implement in cluster mode.
Alternatively could workaround the issue for drive by making the NuxeoDriveGetChangeSummary explicitly check that any token provided in a HTTP header is still valid by checking the authTokens directory or better by calling the TokenAuthenticationService. If the token is no longer valid, a HTTP 401 can be raised directly by the NuxeoDriveGetChangeSummary operation.
In that case, in non cluster mode, this will disconnect the drive as soon as token is revoked. In cluster mode, this will disconnect drive client as soon as the directory cache expires (5 min by default) which sounds reasonable to me.
