cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] git commit: [CXF-5684] - Change token storing logic to allow to store "expired" tokens
Date Mon, 14 Apr 2014 14:17:50 GMT
Repository: cxf
Updated Branches:
  refs/heads/master f61876836 -> 6155656f8


[CXF-5684] - Change token storing logic to allow to store "expired" tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/603d32aa
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/603d32aa
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/603d32aa

Branch: refs/heads/master
Commit: 603d32aa3897fc9d237a5a22eb6a25192f083b7d
Parents: f618768
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Apr 14 14:44:42 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Apr 14 14:44:42 2014 +0100

----------------------------------------------------------------------
 .../policy/interceptors/NegotiationUtils.java   |  2 +-
 .../SecureConversationInInterceptor.java        |  5 +-
 .../security/tokenstore/EHCacheTokenStore.java  | 74 +++-----------------
 .../security/tokenstore/MemoryTokenStore.java   | 48 ++++---------
 .../cxf/ws/security/tokenstore/TokenStore.java  |  6 --
 .../ws/security/trust/STSTokenValidator.java    |  2 +-
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  2 +-
 .../security/wss4j/WSS4JStaxInInterceptor.java  |  2 +-
 .../cxf/ws/security/wss4j/WSS4JUtils.java       |  2 +-
 .../tokenstore/EHCacheTokenStoreTest.java       | 25 -------
 .../tokenstore/MemoryTokenStoreTest.java        | 25 -------
 .../cxf/sts/cache/HazelCastTokenStore.java      |  5 --
 .../token/validator/UsernameTokenValidator.java |  2 +-
 13 files changed, 34 insertions(+), 166 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 597d8df..71c7b35 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -251,7 +251,7 @@ final class NegotiationUtils {
                     message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
                     
                     SecurityToken token = getTokenStore(message).getToken(tok.getIdentifier());
-                    if (token == null) {
+                    if (token == null || token.isExpired()) {
                         byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                         if (secret != null) {
                             token = new SecurityToken(tok.getIdentifier());

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index bd3c19a..fa553d0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -381,7 +381,10 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
                     st = WSS4JUtils.getTokenStore(message).getToken(id);
                 }
             }
-            return st;
+            if (st != null && !st.isExpired()) {
+                return st;
+            }
+            return null;
         }
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
index 2a9e004..2fbaa26 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
@@ -21,11 +21,7 @@ package org.apache.cxf.ws.security.tokenstore;
 
 import java.io.Closeable;
 import java.net.URL;
-import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
 
 import net.sf.ehcache.Cache;
 import net.sf.ehcache.CacheManager;
@@ -83,33 +79,19 @@ public class EHCacheTokenStore implements TokenStore, Closeable, BusLifeCycleLis
         ttl = newTtl;
     }
     
-    /**
-     * Get the (default) TTL value in seconds
-     * @return the (default) TTL value in seconds
-     */
-    public long getTTL() {
-        return ttl;
-    }
-    
     public void add(SecurityToken token) {
         if (token != null && !StringUtils.isEmpty(token.getId())) {
-            int parsedTTL = getTTL(token);
-            if (parsedTTL > 0) {
-                Element element = new Element(token.getId(), token, parsedTTL, parsedTTL);
-                element.resetAccessStatistics();
-                cache.put(element);
-            }
+            Element element = new Element(token.getId(), token, getTTL(), getTTL());
+            element.resetAccessStatistics();
+            cache.put(element);
         }
     }
     
     public void add(String identifier, SecurityToken token) {
         if (token != null && !StringUtils.isEmpty(identifier)) {
-            int parsedTTL = getTTL(token);
-            if (parsedTTL > 0) {
-                Element element = new Element(identifier, token, parsedTTL, parsedTTL);
-                element.resetAccessStatistics();
-                cache.put(element);
-            }
+            Element element = new Element(identifier, token, getTTL(), getTTL());
+            element.resetAccessStatistics();
+            cache.put(element);
         }
     }
     
@@ -124,19 +106,6 @@ public class EHCacheTokenStore implements TokenStore, Closeable, BusLifeCycleLis
         return cache.getKeysWithExpiryCheck();
     }
     
-    public Collection<SecurityToken> getExpiredTokens() {
-        List<SecurityToken> expiredTokens = new ArrayList<SecurityToken>();
-        @SuppressWarnings("unchecked")
-        Iterator<String> ids = cache.getKeys().iterator();
-        while (ids.hasNext()) {
-            Element element = cache.get(ids.next());
-            if (cache.isExpired(element)) {
-                expiredTokens.add((SecurityToken)element.getObjectValue());
-            }
-        }
-        return expiredTokens;
-    }
-    
     public SecurityToken getToken(String identifier) {
         Element element = cache.get(identifier);
         if (element != null && !cache.isExpired(element)) {
@@ -145,32 +114,11 @@ public class EHCacheTokenStore implements TokenStore, Closeable, BusLifeCycleLis
         return null;
     }
     
-    private int getTTL(SecurityToken token) {
-        int parsedTTL = 0;
-        if (token.getExpires() != null) {
-            Date expires = token.getExpires();
-            Date current = new Date();
-            long expiryTime = (expires.getTime() - current.getTime()) / 1000L;
-            if (expiryTime < 0) {
-                return 0;
-            }
-            
-            parsedTTL = (int)expiryTime;
-            if (expiryTime != (long)parsedTTL || parsedTTL > MAX_TTL) {
-                // Default to configured value
-                parsedTTL = (int)ttl;
-                if (ttl != (long)parsedTTL) {
-                    // Fall back to 60 minutes if the default TTL is set incorrectly
-                    parsedTTL = 3600;
-                }
-            }
-        } else {
-            // Default to configured value
-            parsedTTL = (int)ttl;
-            if (ttl != (long)parsedTTL) {
-                // Fall back to 60 minutes if the default TTL is set incorrectly
-                parsedTTL = 3600;
-            }
+    private int getTTL() {
+        int parsedTTL = (int)ttl;
+        if (ttl != (long)parsedTTL) {
+             // Fall back to 60 minutes if the default TTL is set incorrectly
+            parsedTTL = 3600;
         }
         return parsedTTL;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
index 144510c..ed719a4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
@@ -19,10 +19,8 @@
 
 package org.apache.cxf.ws.security.tokenstore;
 
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Date;
-import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -36,6 +34,7 @@ public class MemoryTokenStore implements TokenStore {
     public static final long MAX_TTL = DEFAULT_TTL * 12L;
     
     private Map<String, CacheEntry> tokens = new ConcurrentHashMap<String, CacheEntry>();
+    private long ttl = DEFAULT_TTL;
     
     public void add(SecurityToken token) {
         if (token != null && !StringUtils.isEmpty(token.getId())) {
@@ -55,6 +54,14 @@ public class MemoryTokenStore implements TokenStore {
         }
     }
     
+    /**
+     * Set a new (default) TTL value in seconds
+     * @param newTtl a new (default) TTL value in seconds
+     */
+    public void setTTL(long newTtl) {
+        ttl = newTtl;
+    }
+    
     public void remove(String identifier) {
         if (!StringUtils.isEmpty(identifier) && tokens.containsKey(identifier)) {
             tokens.remove(identifier);
@@ -66,20 +73,6 @@ public class MemoryTokenStore implements TokenStore {
         return tokens.keySet();
     }
     
-    public Collection<SecurityToken> getExpiredTokens() {
-        List<SecurityToken> expiredTokens = new ArrayList<SecurityToken>();
-        Date current = new Date();
-        synchronized (tokens) {
-            for (String id : tokens.keySet()) {
-                CacheEntry cacheEntry = tokens.get(id);
-                if (cacheEntry.getExpiry().before(current)) {
-                    expiredTokens.add(cacheEntry.getSecurityToken());
-                }
-            }
-        }
-        return expiredTokens;
-    }
-    
     public SecurityToken getToken(String id) {
         processTokenExpiry();
         
@@ -103,25 +96,10 @@ public class MemoryTokenStore implements TokenStore {
     }
     
     private CacheEntry createCacheEntry(SecurityToken token) {
-        CacheEntry cacheEntry = null;
-        if (token.getExpires() == null) {
-            Date expires = new Date();
-            long currentTime = expires.getTime();
-            expires.setTime(currentTime + (DEFAULT_TTL * 1000L));
-            cacheEntry = new CacheEntry(token, expires);
-        } else {
-            Date expires = token.getExpires();
-            Date current = new Date();
-            long expiryTime = expires.getTime() - current.getTime();
-            if (expiryTime < 0) {
-                return null;
-            }
-            if (expiryTime > (MAX_TTL * 1000L)) {
-                expires.setTime(current.getTime() + (DEFAULT_TTL * 1000L));
-            }
-            cacheEntry = new CacheEntry(token, expires);
-        }
-        return cacheEntry;
+        Date expires = new Date();
+        long currentTime = expires.getTime();
+        expires.setTime(currentTime + (ttl * 1000L));
+        return new CacheEntry(token, expires);
     }
     
     private static class CacheEntry {

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java
index 1ba97c8..4e7e28b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java
@@ -53,12 +53,6 @@ public interface TokenStore {
     Collection<String> getTokenIdentifiers();
     
     /**
-     * Return the list of expired tokens.
-     * @return An array of expired <code>Tokens</code>
-     */
-    Collection<SecurityToken> getExpiredTokens();
-    
-    /**
      * Returns the <code>Token</code> of the given identifier
      * @param identifier
      * @return The requested <code>Token</code> identified by the given identifier

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
index bf0d328..88ae9d6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
@@ -91,7 +91,7 @@ public class STSTokenValidator implements Validator {
             TokenStore tokenStore = getTokenStore(message);
             if (tokenStore != null && hash != 0) {
                 SecurityToken transformedToken = getTransformedToken(tokenStore, hash);
-                if (transformedToken != null) {
+                if (transformedToken != null && !transformedToken.isExpired()) {
                     SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
                     credential.setTransformedToken(assertion);
                     return credential;

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index c9eac0e..1d1b2ac 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -642,7 +642,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
                 
                 String id = pc.getIdentifier();
                 SecurityToken tok = store.getToken(id);
-                if (tok != null) {
+                if (tok != null && !tok.isExpired()) {
                     pc.setKey(tok.getSecret());
                     pc.setCustomToken(tok.getToken());
                     return;

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
index b2e540f..631f1e1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
@@ -413,7 +413,7 @@ public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor
{
                     
                     String id = pc.getIdentifier();
                     SecurityToken tok = store.getToken(id);
-                    if (tok != null) {
+                    if (tok != null && !tok.isExpired()) {
                         pc.setKey(tok.getSecret());
                         pc.setKey(tok.getKey());
                         pc.setCustomToken(tok.getToken());

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
index 62afffd..add1bb6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
@@ -176,7 +176,7 @@ public final class WSS4JUtils {
             return null;
         }
         SecurityToken existingToken = getTokenStore(message).getToken(securityToken.getId());
-        if (existingToken == null) {
+        if (existingToken == null || existingToken.isExpired()) {
             Date created = new Date();
             Date expires = new Date();
             expires.setTime(created.getTime() + 300000);

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java
index 52f4bc0..ced0d98 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java
@@ -18,8 +18,6 @@
  */
 package org.apache.cxf.ws.security.tokenstore;
 
-import java.util.Date;
-
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.message.ExchangeImpl;
 import org.apache.cxf.message.Message;
@@ -61,29 +59,6 @@ public class EHCacheTokenStoreTest extends org.junit.Assert {
         assertNull(store.getToken(newKey));
     }
     
-    // tests TokenStore apis for storing in the cache with various expiration times
-    @org.junit.Test
-    public void testTokenAddExpiration() throws Exception {
-        SecurityToken expiredToken = new SecurityToken("expiredToken");
-        Date currentDate = new Date();
-        long currentTime = currentDate.getTime();
-        Date expiry = new Date();
-        expiry.setTime(currentTime - 5000L);
-        expiredToken.setExpires(expiry);
-        store.add(expiredToken);
-        assertTrue(store.getTokenIdentifiers().isEmpty());
-        
-        SecurityToken farFutureToken = new SecurityToken("farFuture");
-        expiry = new Date();
-        expiry.setTime(Long.MAX_VALUE);
-        farFutureToken.setExpires(expiry);
-        store.add(farFutureToken);
-        
-        assertTrue(store.getTokenIdentifiers().size() == 1);
-        store.remove(farFutureToken.getId());
-        assertTrue(store.getTokenIdentifiers().isEmpty());
-    }
-    
     // tests TokenStore apis for removing from the cache.
     @org.junit.Test
     public void testTokenRemove() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
index a124c02..40260d1 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
@@ -18,8 +18,6 @@
  */
 package org.apache.cxf.ws.security.tokenstore;
 
-import java.util.Date;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageImpl;
 import org.apache.cxf.ws.security.SecurityConstants;
@@ -54,29 +52,6 @@ public class MemoryTokenStoreTest extends org.junit.Assert {
         assertNull(store.getToken(newKey));
     }
     
-    // tests TokenStore apis for storing in the cache with various expiration times
-    @org.junit.Test
-    public void testTokenAddExpiration() throws Exception {
-        SecurityToken expiredToken = new SecurityToken("expiredToken");
-        Date currentDate = new Date();
-        long currentTime = currentDate.getTime();
-        Date expiry = new Date();
-        expiry.setTime(currentTime - 5000L);
-        expiredToken.setExpires(expiry);
-        store.add(expiredToken);
-        assertTrue(store.getTokenIdentifiers().isEmpty());
-        
-        SecurityToken farFutureToken = new SecurityToken("farFuture");
-        expiry = new Date();
-        expiry.setTime(Long.MAX_VALUE);
-        farFutureToken.setExpires(expiry);
-        store.add(farFutureToken);
-        
-        assertTrue(store.getTokenIdentifiers().size() == 1);
-        store.remove(farFutureToken.getId());
-        assertTrue(store.getTokenIdentifiers().isEmpty());
-    }
-    
     // tests TokenStore apis for removing from the cache.
     @org.junit.Test
     public void testTokenRemove() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
index 7ff38d2..0dc3354 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
@@ -112,11 +112,6 @@ public class HazelCastTokenStore implements TokenStore {
         return CastUtils.cast((Collection<?>)getCacheMap().keySet());
     }
 
-    public Collection<SecurityToken> getExpiredTokens() {
-        // TODO Auto-generated method stub
-        return null;
-    }
-
     public SecurityToken getToken(String identifier) {
         return (SecurityToken)getCacheMap().get(identifier);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
index e2d902e..a8a175a 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java
@@ -183,7 +183,7 @@ public class UsernameTokenValidator implements TokenValidator {
             SecurityToken secToken = null;
             if (tokenParameters.getTokenStore() != null) {
                 secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash));
-                if (secToken != null && secToken.getTokenHash() != hash) {
+                if (secToken != null && (secToken.getTokenHash() != hash || secToken.isExpired()))
{
                     secToken = null;
                 }
             }


Mime
View raw message