cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Checking null and negative OAuth2 lifetime property
Date Tue, 19 Apr 2016 09:47:22 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes a7d937048 -> 2f8817860


Checking null and negative OAuth2 lifetime property


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2f881786
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2f881786
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2f881786

Branch: refs/heads/3.1.x-fixes
Commit: 2f881786004132611d6b0d52969828899c0f9ca9
Parents: a7d9370
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Apr 19 10:45:18 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Apr 19 10:46:56 2016 +0100

----------------------------------------------------------------------
 .../apache/cxf/rs/security/oauth2/utils/OAuthUtils.java   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2f881786/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index a7f9dc6..c1a1474 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -187,8 +187,14 @@ public final class OAuthUtils {
     }
     
     public static boolean isExpired(Long issuedAt, Long lifetime) {
-        return lifetime != 0L
-            && issuedAt + lifetime < System.currentTimeMillis() / 1000L;
+        // At some point -1 was used to indicate an unlimited lifetime
+        // with 0 being introduced instead at a later stage. 
+        // In theory there still could be a code around initializing the tokens with -1.

+        // Treating -1 and 0 the same way is reasonable and it also makes it easier to
+        // deal with the token introspection responses with no issuedAt time reported
+        return lifetime == null
+            || lifetime < -1
+            || lifetime > 0L && issuedAt + lifetime < System.currentTimeMillis()
/ 1000L;
     }
     
     public static boolean validateAudience(String providedAudience, 


Mime
View raw message