apache · smolnar82 · Oct 18, 2023 · Oct 18, 2023
diff --git a/...vice-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/...vice-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -33,6 +33,7 @@
 import java.util.Map;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Optional;
@@ -821,7 +822,13 @@ private Response getAuthenticationToken() {
 
     if (tokenStateService != null) {
       if (tokenLimitPerUser != -1) { // if -1 => unlimited tokens for all users
-        final Collection<KnoxToken> userTokens = tokenStateService.getTokens(userName);
+        final Collection<KnoxToken> allUserTokens = tokenStateService.getTokens(userName);
+        final Collection<KnoxToken> userTokens = new LinkedList<>();
+        allUserTokens.stream().forEach(token -> {
+          if(!token.getMetadata().isKnoxSsoCookie()) {
+            userTokens.add(token);
+          }
+        });
         if (userTokens.size() >= tokenLimitPerUser) {
           log.tokenLimitExceeded(userName);
           if (UserLimitExceededAction.RETURN_ERROR == userLimitExceededAction) {

diff --git a/...ken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/...ken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -1102,16 +1102,34 @@ private void testLimitingTokensPerUser(int configuredLimit, int numberOfTokens,
     tr.context = context;
     tr.init();
 
+    // add some KnoxSSO Cookie, they should not be considered during token limit
+    // calculation
+    final int numberOfKnoxSsoCookies = 5;
+    for (int i = 0; i < numberOfKnoxSsoCookies; i++) {
+      final Response tokenResponse = acquireToken(tr);
+
+      final String tokenId = getTagValue(tokenResponse.getEntity().toString(), "token_id");
+      assertNotNull(tokenId);
+      final TokenMetadata tokenMetadata = new TokenMetadata(USER_NAME);
+      tokenMetadata.setKnoxSsoCookie(true);
+      tss.addMetadata(tokenId, tokenMetadata);
+    }
+
     for (int i = 0; i < numberOfTokens; i++) {
-      final Response getTokenResponse = Subject.doAs(createTestSubject(USER_NAME), (PrivilegedAction<Response>) () -> tr.doGet());
-      if (getTokenResponse.getStatus() != Response.Status.OK.getStatusCode()) {
-        throw new Exception(getTokenResponse.getEntity().toString());
-      }
+      acquireToken(tr);
     }
     final Response getKnoxTokensResponse = getUserTokensResponse(tr);
     final Collection<String> tokens = ((Map<String, Collection<String>>) JsonUtils.getObjectFromJsonString(getKnoxTokensResponse.getEntity().toString()))
         .get("tokens");
-    assertEquals(tokens.size(), revokeOldestToken ? configuredLimit : numberOfTokens);
+    assertEquals(tokens.size(), revokeOldestToken ? configuredLimit + numberOfKnoxSsoCookies : numberOfTokens + numberOfKnoxSsoCookies);
+  }
+
+  private Response acquireToken(TokenResource tokenResource) throws Exception {
+    final Response getTokenResponse = Subject.doAs(createTestSubject(USER_NAME), (PrivilegedAction<Response>) () -> tokenResource.doGet());
+    if (getTokenResponse.getStatus() != Response.Status.OK.getStatusCode()) {
+      throw new Exception(getTokenResponse.getEntity().toString());
+    }
+    return getTokenResponse;
   }
 
   @Test