cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6165] The clock can be not synchronized
Date Tue, 16 Jun 2015 16:07:07 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes f30d69ed5 -> 8c8325beb


[CXF-6165] The clock can be not synchronized


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8c8325be
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8c8325be
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8c8325be

Branch: refs/heads/3.0.x-fixes
Commit: 8c8325bebd59dfebcb49b9ffb8b3e9a200ccc3f8
Parents: f30d69e
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Jun 16 17:05:27 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Jun 16 17:06:50 2015 +0100

----------------------------------------------------------------------
 .../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java     | 10 +++++++---
 .../cxf/rs/security/oidc/rp/AbstractTokenValidator.java   |  7 ++++++-
 2 files changed, 13 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8325be/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index d78fc41..302d9c0 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -36,7 +36,8 @@ public final class JwtUtils {
         return new JwtTokenReaderWriter().fromJsonClaims(json);
     }
     
-    public static void validateJwtTimeClaims(JwtClaims claims, int issuedAtRange, boolean
claimsRequired) {
+    public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset, 
+                                             int issuedAtRange, boolean claimsRequired) {
         Long currentTimeInSecs = System.currentTimeMillis() / 1000;
         Long expiryTimeInSecs = claims.getExpiryTime();
         if (expiryTimeInSecs == null && claimsRequired 
@@ -44,15 +45,18 @@ public final class JwtUtils {
             throw new SecurityException("The token expired");
         }
         Long issuedAtInSecs = claims.getIssuedAt();
+        if (clockOffset <= 0) {
+            clockOffset = 0;
+        }
         if (issuedAtInSecs == null && claimsRequired 
-            || issuedAtInSecs != null && (issuedAtInSecs > currentTimeInSecs ||
issuedAtRange > 0
+            || issuedAtInSecs != null && (issuedAtInSecs - clockOffset > currentTimeInSecs
|| issuedAtRange > 0
             && issuedAtInSecs < currentTimeInSecs - issuedAtRange)) {
             throw new SecurityException("Invalid issuedAt");
         }
     }
     
     public static void validateJwtTimeClaims(JwtClaims claims) {
-        validateJwtTimeClaims(claims, 0, false);
+        validateJwtTimeClaims(claims, 0, 0, false);
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8325be/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index f468d33..74c0c00 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -38,6 +38,7 @@ public abstract class AbstractTokenValidator {
     private JwsSignatureVerifier jwsVerifier;
     private String issuerId;
     private int issuedAtRange;
+    private int clockOffset;
     private WebClient jwkSetClient;
     private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String,
JsonWebKey>(); 
     
@@ -79,7 +80,7 @@ public abstract class AbstractTokenValidator {
         if (issuer == null && validateClaimsAlways || issuer != null && !issuer.equals(issuerId))
{
             throw new SecurityException("Invalid provider");
         }
-        JwtUtils.validateJwtTimeClaims(claims, issuedAtRange, validateClaimsAlways);
+        JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways);
     }
     
     
@@ -146,4 +147,8 @@ public abstract class AbstractTokenValidator {
         }
         return theJwsVerifier;
     }
+
+    public void setClockOffset(int clockOffset) {
+        this.clockOffset = clockOffset;
+    }
 }


Mime
View raw message