mwdb
commented
5 years ago Hi Alex,
Cached entries are managed by the cache manager. In the configuration you specify the cache manager to be used, so it is under your control. In the sample this is https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/SecurityConfiguration.java#L48 You will have a similar configuration.
The default cache manager Spring gives you is a HashMap, which does not have a time to live specified. For your use case I recommend to change it with a cache manager supporting a time to live, e.g. https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-caching.html#boot-features-caching-provider-caffeine
When properly configured, it will expire cache entries.
Regards,
Martijn
Alexaas
nenaraab
Hi, in class TokenBrokerResover a retrieved token is cached based on token url/client id/client secret. This triple usually does not change so a Token is cached for a long time. But at a certain point in time a token is outdated. TokenBrokerResolver returns an outdated token in this case. See TokenBrokerResolver->getBrokerToken
String cacheKey = createSecureHash(oauthTokenUrl, credentialDetails[0], credentialDetails[1]); String storedToken = tokenCache.get(cacheKey, String.class); This piece of code is used several times in this method
Please provide a more intelligent caching or remove caching. As we wanted to ship tomorrow this is urgent for us.
Thanks and Regards, Alex