Skip to content

Path based Identity Zone#3730

Draft
fhanik wants to merge 22 commits intocloudfoundry:developfrom
fhanik:feature/path-based-zones
Draft

Path based Identity Zone#3730
fhanik wants to merge 22 commits intocloudfoundry:developfrom
fhanik:feature/path-based-zones

Conversation

@fhanik
Copy link
Contributor

@fhanik fhanik commented Jan 28, 2026
edited
Loading

@fhanik fhanik force-pushed the feature/path-based-zones branch 2 times, most recently from 15c3594 to 80c069b Compare February 3, 2026 16:59
fhanik added 4 commits February 5, 2026 13:17
@fhanik
ignore .vscode directory
b58c091
@fhanik
Add UaaRequestMatcher zone path support and parameterized tests
2c3b281 
- UaaRequestMatcher: constructor(path, withZonePaths) and withZonePaths()
  for matching /z/{id}/path and /z/{id}/path/**
- UaaRequestMatcherTests: @ParameterizedClass with useZonePaths() so
  tests run with and without /z/{zoneId}/ prefix
@fhanik
Add test infrastructure for path-based zone URLs (/z/{subdomain}/)
f0aed82 
Introduces ZoneRequestPathMode, MockMvcUtils.ZoneResolutionMode, and
parameterized MockMvc tests so that tests can run in both subdomain and
zone-path modes. After this commit, test permutations that do not use
/z/ URLs pass; permutations using /z/ may fail until production
support is added.
@fhanik
Add path-based zone URL support (/z/{subdomain}/)
604e613 
- IdentityZoneResolvingFilter: resolve zone from path /z/{subdomain}/
- Security configs and controllers: dual paths, withZonePaths() usage
- UaaAuthenticationFailureHandler: zone-aware redirects and cookie path
- Config: zones hostnames for tests

All tests pass after this commit.
@fhanik fhanik force-pushed the feature/path-based-zones branch from 7cfabdf to 604e613 Compare February 5, 2026 21:27
fhanik
fhanik commented Feb 5, 2026
View reviewed changes
server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginSecurityConfiguration.java
login.passwordParameter("password");
// Support both /login.do and /z/{subdomain}/login.do for zone path-based authentication
login.loginProcessingUrl("/login.do");
login.defaultSuccessUrl("/"); // TODO is this exactly the same?
Copy link
Contributor Author

@fhanik fhanik Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should redirect to /z/{subdomain}

@fhanik fhanik force-pushed the feature/path-based-zones branch from 471e7d2 to a887a36 Compare February 5, 2026 21:49
@fhanik fhanik force-pushed the feature/path-based-zones branch from a887a36 to 2ca84f0 Compare February 5, 2026 21:55
fhanik and others added 13 commits February 6, 2026 10:58
@fhanik
[Test] Implement ResetPasswordController zone path tests
c620553
@fhanik
[Prod] Implement ResetPasswordController zone path
de1ec9f
@fhanik
[Test] Implement ChangePasswordController zone path tests
7d55287
@fhanik
[Prod] Implement ChangePasswordController zone path tests
47b9151
@fhanik
[Test] Implement ChangeEmailController zone path tests
a9c644f
@fhanik
[Prod] Implement ChangeEmailController zone path tests
3acc627
@fhanik
[Test] Implement ForcePasswordChangeController zone path tests
22368e1
@fhanik
[Prod] Implement ForcePasswordChangeController zone path tests
bb77d2d
@fhanik
[Test] Implement LoggedOutEndpoint zone path tests
233bf1b
@fhanik
[Prod] Implement LoggedOutEndpoint zone path tests
044a5a8
@fhanik
[Test] Implement HomeViewController zone path tests
4f65f59
@fhanik
[Prod] Implement HomeViewController zone path test
587bb65
@fhanik
[Test] Implement SessionController zone path tests
17fc08b
@fhanik fhanik force-pushed the feature/path-based-zones branch from 444f15a to 0110357 Compare February 7, 2026 17:45
@fhanik fhanik force-pushed the feature/path-based-zones branch from 0110357 to bd13b7e Compare February 7, 2026 17:45
@fhanik fhanik force-pushed the feature/path-based-zones branch from dd9064a to 7c08d52 Compare February 7, 2026 19:12
@fhanik
Solve race condition
acac5fa 
    public int cleanExpiredEntries() {
        long now = timeService.getCurrentTimeMillis();
        long lastCheck = lastExpired.get();

        if ((now - lastCheck) > expirationInterval && lastExpired.compareAndSet(lastCheck, now)) {
            int count = jdbcTemplate.update(deleteExpired, now);
            logger.debug("Expiring code sweeper complete, deleted {} entries.", count);
            return count;
        }

        return 0;
    }

lastExpired (line 58) is a shared AtomicLong that stores the last time cleanup ran.
Condition: cleanup is only allowed to run when (now - lastCheck) > expirationInterval (e.g. once per minute).
CAS: lastExpired.compareAndSet(lastCheck, now) means: “set lastExpired to now only if it still equals lastCheck.”
So:
Thread A and B both call cleanExpiredEntries() (e.g. from generateCode() in two tests).
Both read lastCheck = lastExpired.get() (e.g. 0 or an old timestamp).
For both, (now - lastCheck) > expirationInterval is true.
One thread (say A) runs compareAndSet(lastCheck, now) first → it succeeds, updates lastExpired to now, then runs jdbcTemplate.update(deleteExpired, now) and deletes expired rows.
Thread B then runs compareAndSet(lastCheck, now) → it fails, because lastExpired was already changed by A, so it’s no longer equal to lastCheck. So B does not run the DELETE and returns 0.
So “another thread won the CAS” = the other thread’s compareAndSet succeeded and did the cleanup; this thread’s compareAndSet failed, so this thread skips the delete. That’s why cleanup may not run in this thread: the design intentionally lets only one thread perform the throttled cleanup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fhanik