THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Add a new type of exception that ,
AuthenticationExpiredException, that can be thrown by theSecurityManager"authorize" method: AuthenticationExpiredException . SecurityManager "authorize" method method is implemented by the third-party. We don't need to care how they determine user expiration. We just need to handle the AuthenticationExpiredExceptionAuthenticationExpiredExceptionIf it's thrown. - The exception will need to bubble all the way back to the client
- When a client is authenticated, an entry with the client's longID as the key is added to map maintained by the
ClientUserAuths. The entry is removed and the related shiro subject is logged out to prevent resource leaks when client's cache is closed. When an authentication expires, we need to do the same with the current authenticated subject and clean that entry out of the map as well. This logic needs to be added to the code path where theAuthenticationExpiredExceptionis thrown.
Java Client Changes
- There is logic on the java client to do re-authentication when user attributes somehow "disappeared" from the server, we can piggyback on this logic to handle the
AuthenticationExpiredException. - For the older versions of the client, it just needs to be notified of the exception, no re-authentication is required on older clients.
- When credentials expired, if there are multiple operations from the client, we need to do something to prevent the client from sending out multiple re-authentication requests to the authentication server.
...