Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(jans-auth-server): clean up jansDeviceSess entries after expiration #8704 #8936

Merged
merged 2 commits into from
Jul 10, 2024
Merged

fix(jans-auth-server): clean up jansDeviceSess entries after expiration #8704 #8936

merged 2 commits into from
Jul 10, 2024

Conversation

yuriyz
Copy link
Contributor

@yuriyz yuriyz commented Jul 10, 2024
edited
Loading

Description

fix(jans-auth-server): clean up jansDeviceSess entries after expiration

Target issue

closes #8704

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 10, 2024
edited
Loading

DryRun Security Summary

The provided code change in the Jans Authorization Server application focuses on maintaining the application's data integrity and performance by periodically cleaning up expired or inactive entities, including device sessions and inactive clients, and ensuring the application's cache remains up-to-date and efficient.

Expand for full summary

Summary:

The provided code change is related to the CleanerTimer class in the Jans Authorization Server application. The key changes include:

  1. Addition of the DeviceSession entity to the list of entities that the CleanerTimer will periodically clean up. This suggests the application now handles device-specific sessions, which is an important security consideration.
  2. Improvements to the cleanup process, including batch processing and the ability to clean up inactive clients based on a configurable time threshold. This helps maintain the application's data integrity and performance.
  3. Inclusion of a cache cleanup process to ensure the application's cache remains up-to-date and efficient.

From an application security perspective, these changes are focused on maintaining the application's data integrity and performance by periodically removing expired or inactive entities. Ensuring the timely removal of device sessions and inactive clients is crucial to prevent potential security issues, such as unauthorized access or session hijacking. Overall, this code change appears to be a routine maintenance task to keep the application's data clean and secure.

Files Changed:

  • jans-auth-server/server/src/main/java/io/jans/as/server/service/CleanerTimer.java: This file contains the changes related to the CleanerTimer class, which is responsible for periodically cleaning up various data entities in the Jans Authorization Server application. The key changes include the addition of the DeviceSession entity to the cleanup process, improvements to the cleanup process (batch processing and inactive client cleanup), and the inclusion of a cache cleanup process.

Code Analysis

We ran 7 analyzers against 1 file and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@yuriyz yuriyz enabled auto-merge (squash) July 10, 2024 10:04
@mo-auto mo-auto added comp-jans-auth-server Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality labels Jul 10, 2024
@yuriyz yuriyz merged commit 1cfcd2f into main Jul 10, 2024
1 of 2 checks passed
@yuriyz yuriyz deleted the jans-auth-server-8704 branch July 10, 2024 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem yurem approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

Assignees
No one assigned
Labels
comp-jans-auth-server Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(jans-auth-server): clean up jansDeviceSess entries after expiration
4 participants
@yuriyz @yurem @yuriyzz @mo-auto