[KNOX-2670] AliasBasedTokenStateService does not throw UnknownTokenException at revocation time - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.6.0
Fix Version/s: 1.6.0
Component/s: None
Labels:
None

Description

Steps to reproduce

Configure Knox to use the AliasBasedTokenStateService implemntation
Generated token with 1 min lifespan on the token generation UI
Revoke the token on the token management page
Use knox token api to revoke again the already revoked token

The result is:

{ "revoked": "true" }

Root cause analysis

AliasBasedTokenStateService.removeToken(String tokenId) claims it throws UnknownTokenException but this is not true since it's missing the validateToken(String) call. In fact, we would not even need that method: if we remove it then DefaultTokenStateService.removeToken(String) will be invoked that has the required check.

The good news is that the token is not maintained in the memory or in the underlying keystore because AliasBasedTokenStateService.removeToken(Set<String> tokenIds) silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.

That means, the token was removed perfectly for the first time.

Attachments

Issue Links

links to

GitHub Pull Request #501

Activity

People

Assignee:: Sandor Molnar

Reporter:: Sandor Molnar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Sep/21 12:25

Updated:: 23/Sep/21 17:56

Resolved:: 23/Sep/21 17:56

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m