Return-Path: 
 <commits-return-37119-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 42D07189F2
	for <apmail-cxf-commits-archive@www.apache.org>;
 Tue, 16 Jun 2015 16:05:53 +0000 (UTC)
Received: (qmail 2951 invoked by uid 500); 16 Jun 2015 16:05:53 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 2888 invoked by uid 500); 16 Jun 2015 16:05:53 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 2879 invoked by uid 99); 16 Jun 2015 16:05:53 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Jun 2015 16:05:53 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id E3ECBE027F; Tue, 16 Jun 2015 16:05:52 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sergeyb@apache.org
To: commits@cxf.apache.org
Message-Id: <ea4a59609f794b65b1218f4ddaf2557e@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: cxf git commit: [CXF-6165] The clock can be not synchronized
Date: Tue, 16 Jun 2015 16:05:52 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/master 5015c0c1c -> 0da8b3a16


[CXF-6165] The clock can be not synchronized


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0da8b3a1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0da8b3a1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0da8b3a1

Branch: refs/heads/master
Commit: 0da8b3a165f1edfbb8648955de9759cee5d12b14
Parents: 5015c0c
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Jun 16 17:05:27 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Jun 16 17:05:27 2015 +0100

----------------------------------------------------------------------
 .../src/main/webapp/WEB-INF/applicationContext.xml        |  1 +
 .../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java     | 10 +++++++---
 .../cxf/rs/security/oidc/rp/AbstractTokenValidator.java   |  7 ++++++-
 3 files changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/0da8b3a1/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml b/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml
index cfc4aa0..fc154bd 100644
--- a/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml
@@ -92,6 +92,7 @@
          <property name="jwkSetClient" ref="jwkSetClient"/> 
          <property name="issuerId" value="accounts.google.com"/>
          <property name="userInfoServiceClient" ref="userInfoServiceClient"/>
+         <property name="clockOffset" value="10"/>
      </bean>
 
      <bean id="consumer" class="org.apache.cxf.rs.security.oauth2.client.Consumer">

http://git-wip-us.apache.org/repos/asf/cxf/blob/0da8b3a1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index d78fc41..302d9c0 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -36,7 +36,8 @@ public final class JwtUtils {
         return new JwtTokenReaderWriter().fromJsonClaims(json);
     }
     
-    public static void validateJwtTimeClaims(JwtClaims claims, int issuedAtRange, boolean claimsRequired) {
+    public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset, 
+                                             int issuedAtRange, boolean claimsRequired) {
         Long currentTimeInSecs = System.currentTimeMillis() / 1000;
         Long expiryTimeInSecs = claims.getExpiryTime();
         if (expiryTimeInSecs == null && claimsRequired 
@@ -44,15 +45,18 @@ public final class JwtUtils {
             throw new SecurityException("The token expired");
         }
         Long issuedAtInSecs = claims.getIssuedAt();
+        if (clockOffset <= 0) {
+            clockOffset = 0;
+        }
         if (issuedAtInSecs == null && claimsRequired 
-            || issuedAtInSecs != null && (issuedAtInSecs > currentTimeInSecs || issuedAtRange > 0
+            || issuedAtInSecs != null && (issuedAtInSecs - clockOffset > currentTimeInSecs || issuedAtRange > 0
             && issuedAtInSecs < currentTimeInSecs - issuedAtRange)) {
             throw new SecurityException("Invalid issuedAt");
         }
     }
     
     public static void validateJwtTimeClaims(JwtClaims claims) {
-        validateJwtTimeClaims(claims, 0, false);
+        validateJwtTimeClaims(claims, 0, 0, false);
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/0da8b3a1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index f468d33..74c0c00 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -38,6 +38,7 @@ public abstract class AbstractTokenValidator {
     private JwsSignatureVerifier jwsVerifier;
     private String issuerId;
     private int issuedAtRange;
+    private int clockOffset;
     private WebClient jwkSetClient;
     private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); 
     
@@ -79,7 +80,7 @@ public abstract class AbstractTokenValidator {
         if (issuer == null && validateClaimsAlways || issuer != null && !issuer.equals(issuerId)) {
             throw new SecurityException("Invalid provider");
         }
-        JwtUtils.validateJwtTimeClaims(claims, issuedAtRange, validateClaimsAlways);
+        JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways);
     }
     
     
@@ -146,4 +147,8 @@ public abstract class AbstractTokenValidator {
         }
         return theJwsVerifier;
     }
+
+    public void setClockOffset(int clockOffset) {
+        this.clockOffset = clockOffset;
+    }
 }