THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- The server should reject further operations once the authentication is deemed to have expired.
- The server should notify the client that the operation failed because the credential has expired.
- The server, once a user expired, should clean the user attributes from the server.
- The client, once received the notification, should gather the new credentials and re-authenticate (only applies to java client for now, and only for the newer version of java clients).
- The client, if multiple asynchronous connections operations are in flight, should not flood the authentication server with re-authentication requests.
Server Changes
- Add a new type of exception,
AuthenticationExpiredException
, that can be thrown by theSecurityManager
authorize
method. SecurityManagerauthorize
method is implemented by the third-party. We don't need to care how they determine user expiration. We just need to handle theAuthenticationExpiredException
If it's thrown. - The exception will need to bubble all the way back to the client
- When a client is authenticated, an entry with the client's longID as the key is added to map maintained by the
ClientUserAuths
. The entry is removed and the related shiro subject is logged out to prevent resource leaks when client's cache is closed. When an authentication expires, we need to do the same with the current authenticated subject and clean that entry out of the map as well. This logic needs to be added to the code path where theAuthenticationExpiredException
is thrown.
...