tasso94
commented
1 year ago Decisions
- Five minutes as a TTL default is a good compromise between not logging out unauthorized users at all and introducing an unexpected load peak because each user session leads to multiple additional queries; if this doesn't satisfy our users, they can change it to a smaller value or zero
- I only added an integration test for Spring Boot since adjusting the web app integration test suite to test the new behavior would be a higher effort; however, we should test the new behavior on all application servers manually; I'll ask our QA Engineer to do this in the course of the Dev2QA handover summary
- The parent ticket only has the requirement to check if the user still exists; I broadened the implementation scope to cover all information relevant for creating an authorization; otherwise, there are similar problems with group/tenant memberships and app access
- I added an optimization that adds the validation time already on login to avoid updating the cache immediately after creation
- Usually, iterating over a list and removing elements is not allowed and results in a
ConcurrentModificationException- However, in the case of
AuthenticationUtil#updateCache, we loop over a copy of theMap<String, UserAuthentication> authenticationsvalues; the elements are removed from the map, not from the list
- However, in the case of
- The new implementation itself doesn't need to send an HTTP error in case there is no authentication for the HTTP session left; the
SecurityFiltertakes care of this (seeEngineRequestAuthorizerandSecurityFilter#sendUnauthorized)
yanavasileva
Acceptance Criteria (Required on creation)
cacheTimeToLiveis configured in all distros to five minutes.<param-value/>)0, caching is disabled.groupIds,tenantIds, and app authorizations; this prevents, for instance, permissions being restricted for a user that is no longer part of thecamunda-admingroup.Hints
Links
Breakdown