cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Reintroducing a ttl property for validation JWT issuedAt, more to come...
Date Mon, 12 Oct 2015 13:46:33 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 8654f83ed -> 168b10164


Reintroducing a ttl property for validation JWT issuedAt, more to come...


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/168b1016
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/168b1016
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/168b1016

Branch: refs/heads/master
Commit: 168b101644bbe1eeebb12bee6dbde56146e56a26
Parents: 8654f83
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Oct 12 14:46:11 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Oct 12 14:46:11 2015 +0100

----------------------------------------------------------------------
 .../security/jose/jaxrs/JwtAuthenticationFilter.java   | 11 ++++++++++-
 .../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java  | 13 +++++++++----
 .../rs/security/oidc/rp/AbstractTokenValidator.java    | 11 ++++++++++-
 3 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/168b1016/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index dfbbc57..295879d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -45,6 +45,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
     private static final String DEFAULT_AUTH_SCHEME = "JWT";
     private String expectedAuthScheme = DEFAULT_AUTH_SCHEME;
     private int clockOffset;
+    private int ttl;
     
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
@@ -72,7 +73,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
         
         // If we have no expiry then we must have an issued at
         boolean issuedAtRequired = jwt.getClaims().getExpiryTime() == null;
-        JwtUtils.validateJwtIssuedAt(jwt.getClaims(), clockOffset, issuedAtRequired);
+        JwtUtils.validateJwtIssuedAt(jwt.getClaims(), ttl, clockOffset, issuedAtRequired);
     }
 
     public int getClockOffset() {
@@ -82,4 +83,12 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
     public void setClockOffset(int clockOffset) {
         this.clockOffset = clockOffset;
     }
+
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/168b1016/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 983ada3..3f0a27e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -77,7 +77,7 @@ public final class JwtUtils {
         }
     }
     
-    public static void validateJwtIssuedAt(JwtClaims claims, int clockOffset, boolean claimRequired)
{
+    public static void validateJwtIssuedAt(JwtClaims claims, int timeToLive, int clockOffset,
boolean claimRequired) {
         Long issuedAtInSecs = claims.getIssuedAt();
         if (issuedAtInSecs == null) {
             if (claimRequired) {
@@ -92,9 +92,14 @@ public final class JwtUtils {
             createdDate.setTime(createdDate.getTime() - (long)clockOffset * 1000L);
         }
         
-        Date rightNow = new Date();
-
-        if (createdDate.after(rightNow)) {
+        Date validCreation = new Date();
+        if (timeToLive != 0) {
+            long currentTime = validCreation.getTime();
+            currentTime -= (long)timeToLive * 1000L;
+            validCreation.setTime(currentTime);
+        }
+        
+        if (createdDate.after(validCreation)) {
             throw new JwtException("Invalid issuedAt");
         }
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/168b1016/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index ace0298..40e1c80 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -35,6 +35,7 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
     private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
     private String issuerId;
     private int clockOffset;
+    private int ttl;
     private WebClient jwkSetClient;
     private boolean supportSelfIssuedProvider;
     private boolean strictTimeValidation;
@@ -80,7 +81,7 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
             // Otherwise: validate only if issuedAt claim is set
             boolean issuedAtRequired = 
                 validateClaimsAlways || strictTimeValidation && claims.getExpiryTime()
== null;
-            JwtUtils.validateJwtIssuedAt(claims, clockOffset, issuedAtRequired);
+            JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
             
             if (strictTimeValidation) {
                 JwtUtils.validateJwtNotBefore(claims, clockOffset, strictTimeValidation);
@@ -152,4 +153,12 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
     public void setStrictTimeValidation(boolean strictTimeValidation) {
         this.strictTimeValidation = strictTimeValidation;
     }
+
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
 }


Mime
View raw message