Could this be a performance issue in CAS6?
39 views
Skip to first unread message
Yan Zhou
Apr 25, 2022, 5:30:17 PM4/25/22
to CAS Community
Hi there,
this following validation is new in CAS6.x
OIDC endpoint: cas/oidc/token (request access token using authCode)
OAuth20AuthorizationCodeGrantTypeTokenRequestValidator
the log says it all, if authCode is expired, it will attempt to revoke all access tokens issued to the authCode (new to CAS6), however, it does so by querying the entire registry: getTicketRegistry().getTickets()
@Override
protected boolean validateInternal(final WebContext context, final String grantType,
final ProfileManager manager, final UserProfile uProfile) {
.......................................
if (valid) {
val token = getConfigurationContext().getTicketRegistry().getTicket(code.get(), OAuth20Code.class);
if (token == null || token.isExpired()) {
LOGGER.debug("Code [{}] is invalid or expired. Attempting to revoke access tokens issued to the code", code.get());
val accessTokensByCode = getConfigurationContext().getTicketRegistry().getTickets(ticket ->
ticket instanceof OAuth20AccessToken
&& StringUtils.equalsIgnoreCase(((OAuth20AccessToken) ticket).getToken(), code.get()));
accessTokensByCode.forEach(ticket -> {
LOGGER.debug("Removing access token [{}] issued via expired/unknown code [{}]", ticket.getId(), code.get());
getConfigurationContext().getTicketRegistry().deleteTicket(ticket);
});
LOGGER.warn("Request OAuth code [{}] is not found or has expired", code.get());
return false;
}
protected boolean validateInternal(final WebContext context, final String grantType,
final ProfileManager manager, final UserProfile uProfile) {
.......................................
if (valid) {
val token = getConfigurationContext().getTicketRegistry().getTicket(code.get(), OAuth20Code.class);
if (token == null || token.isExpired()) {
LOGGER.debug("Code [{}] is invalid or expired. Attempting to revoke access tokens issued to the code", code.get());
val accessTokensByCode = getConfigurationContext().getTicketRegistry().getTickets(ticket ->
ticket instanceof OAuth20AccessToken
&& StringUtils.equalsIgnoreCase(((OAuth20AccessToken) ticket).getToken(), code.get()));
accessTokensByCode.forEach(ticket -> {
LOGGER.debug("Removing access token [{}] issued via expired/unknown code [{}]", ticket.getId(), code.get());
getConfigurationContext().getTicketRegistry().deleteTicket(ticket);
});
LOGGER.warn("Request OAuth code [{}] is not found or has expired", code.get());
return false;
}
...............................
this is CAS HazelcastTicketRegistry code. note: this.ticketCatalog.findAll()
@Override
public Collection<? extends Ticket> getTickets() {
return this.ticketCatalog.findAll()
.stream()
.map(metadata -> getTicketMapInstanceByMetadata(metadata).values())
.flatMap(tickets -> {
if (pageSize > 0) {
return tickets.stream().limit(pageSize).collect(Collectors.toList()).stream();
}
return new ArrayList<>(tickets).stream();
})
.map(this::decodeTicket)
.collect(Collectors.toSet());
}
public Collection<? extends Ticket> getTickets() {
return this.ticketCatalog.findAll()
.stream()
.map(metadata -> getTicketMapInstanceByMetadata(metadata).values())
.flatMap(tickets -> {
if (pageSize > 0) {
return tickets.stream().limit(pageSize).collect(Collectors.toList()).stream();
}
return new ArrayList<>(tickets).stream();
})
.map(this::decodeTicket)
.collect(Collectors.toSet());
}
Would not that be a performance issue?
Yan
Reply all
Reply to author
Forward
0 new messages