Skip to content

feat: introduce a filter to refresh camunda authentication #36718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 34 commits into from
Aug 18, 2025
Merged

feat: introduce a filter to refresh camunda authentication #36718

merged 34 commits into from
Aug 18, 2025

Conversation

maryarm
Copy link
Contributor

@maryarm maryarm commented Aug 13, 2025

Description

When a user logs in, we determine their associations once (membership in roles, groups, tenants; application authorizations) and put them into the web session.

When these associations change (e.g. user is removed from a group; authorizations change), then this is not reflected in this cached state. Accordingly, as long as the user's session is alive, the changes do not take effect for them.

Related issues

closes #34698

@maryarm maryarm force-pushed the identity/34698-refresh-auth branch from 2c3e4b5 to 3f14e6a Compare August 13, 2025 07:52
@maryarm maryarm marked this pull request as draft August 13, 2025 09:27
@maryarm maryarm force-pushed the identity/34698-refresh-auth branch 3 times, most recently from 4b73713 to 2e71a01 Compare August 14, 2025 13:21
@maryarm maryarm marked this pull request as ready for review August 14, 2025 13:44
@maryarm maryarm force-pushed the identity/34698-refresh-auth branch from 3454292 to 4861e56 Compare August 14, 2025 14:20
@maryarm maryarm requested a review from a team as a code owner August 14, 2025 14:31
@maryarm maryarm requested review from npepinpe and bmudric and removed request for a team August 14, 2025 14:31
@npepinpe npepinpe removed their request for review August 14, 2025 15:02
bmudric
bmudric approved these changes Aug 15, 2025
View reviewed changes
Copy link
Contributor

@bmudric bmudric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just to check: do we need to document the new property authenticationRefreshInterval somewhere?

@maryarm maryarm added this pull request to the merge queue Aug 18, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 18, 2025
@maryarm maryarm added this pull request to the merge queue Aug 18, 2025
@cmur2 cmur2 removed this pull request from the merge queue due to a manual request Aug 18, 2025
@cmur2
Copy link
Member

cmur2 commented Aug 18, 2025
edited
Loading

@maryarm please check CI error reasons before re-enqueing PRs into the merge queue! (via the View details button)

I see compilation errors for this PR in the merge: https://github.com/camunda/camunda/actions/runs/17033591357/job/48281074149

This can happen if there are newer changes on main and your PR is not rebased.

maryarm added 22 commits August 18, 2025 09:51
@maryarm
feat: introduce a filter to refresh camunda authentication
275d89d
@maryarm
fix: adjust test
1136a79
@maryarm
fix: remove null check to fix failing tests
a728ac0
@maryarm
fix: merge
72f36ae
@maryarm
refactor: extract methods and constants
019b4de
@maryarm
fix: add dependency
02829dc
@maryarm
feat: make refresh interval configurable
11c8908
@maryarm
feat: add test for filter
0b0560b
@maryarm
feat: introduce a filter to refresh camunda authentication
a4a080f
@maryarm
fix: adjust test
97b7abf
@maryarm
fix: remove null check to fix failing tests
91db2dd
@maryarm
fix: merge
59657e9
@maryarm
fix: handle exception in get current authentication when authenticati…
f9c1a76 
…on is null
@maryarm
feat: introduce a filter to refresh camunda authentication
3ad443a
@maryarm
feat: make refresh interval configurable
e12a0fd
@maryarm
feat: add test for filter
c5a78ed
@maryarm
feat: introduce a filter to refresh camunda authentication
e6a006a
@maryarm
fix: adjust test
6446aa7
@maryarm
fix: remove null check to fix failing tests
42711a9
@maryarm
fix: merge
adf7faf
@maryarm
refactor: extract methods and constants
052ae05
@maryarm
fix: fix compile error
09b9e5f
@maryarm maryarm force-pushed the identity/34698-refresh-auth branch from 2eaa31e to 09b9e5f Compare August 18, 2025 08:14
@maryarm maryarm added this pull request to the merge queue Aug 18, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 18, 2025
@maryarm maryarm added this pull request to the merge queue Aug 18, 2025
Merged via the queue into main with commit 8682001 Aug 18, 2025
165 of 168 checks passed
@maryarm maryarm deleted the identity/34698-refresh-auth branch August 18, 2025 11:28
npepinpe
npepinpe reviewed Aug 18, 2025
View reviewed changes
Copy link
Member

@npepinpe npepinpe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice 🚀

...tion/src/main/java/io/camunda/authentication/filters/SessionAuthenticationRefreshFilter.java
try {
handleAuthenticationRefresh(request);
} catch (final Exception e) {
logger.debug("The session can't be refreshed.");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 Late to the party, but can we also make sure to add the exception as the last argument, so we can also see the error potentially causing this for debugging?

...tion/src/main/java/io/camunda/authentication/filters/SessionAuthenticationRefreshFilter.java

private static void initializeRefreshAttributes(final HttpSession session, final Instant now) {
session.setAttribute(LAST_REFRESH_ATTR, now);
session.setAttribute(LAST_REFRESH_ATTR + "_LOCK", new Object());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓ Cool, how does this work with the session storage? I'm 0% familiar with session storage in Spring - is it loaded once in-memory and reused, or is it possible that two threads load the session from the persistent store, and we get 2 different object references here?

.../src/test/java/io/camunda/authentication/filters/SessionAuthenticationRefreshFilterTest.java
}

@Test
void shouldOnlyRefreshOnceWhenMultipleConcurrentRequests() throws Exception {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💭 Does this actually do what we think? There is no guarantee we're actually testing the case where two requests are trying to refresh at the same time, is there? Am I missing something? I don't get how we're testing the refresh is truly synchronized 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@npepinpe npepinpe npepinpe left review comments

@bmudric bmudric bmudric approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Changes to application authorizations, groups, roles, and tenants take only effect after re-login
4 participants
@maryarm @cmur2 @npepinpe @bmudric