cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: CXF-7111 - Make the security token lifetime configurable
Date Wed, 26 Oct 2016 14:40:28 GMT
Repository: cxf
Updated Branches:
  refs/heads/master c05e56d4a -> 85901843c


CXF-7111 - Make the security token lifetime configurable


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/85901843
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/85901843
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/85901843

Branch: refs/heads/master
Commit: 85901843c09e2c331f3136e4243f6149cfb11a4d
Parents: c05e56d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Oct 26 15:10:49 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Oct 26 15:10:49 2016 +0100

----------------------------------------------------------------------
 .../apache/cxf/ws/security/SecurityConstants.java  |  7 ++++++-
 .../SecureConversationInInterceptor.java           |  3 ++-
 .../SpnegoContextTokenInInterceptor.java           |  3 ++-
 .../apache/cxf/ws/security/wss4j/WSS4JUtils.java   | 17 ++++++++++++++++-
 .../policyhandlers/AbstractBindingBuilder.java     |  2 +-
 .../policyhandlers/AsymmetricBindingHandler.java   |  3 ++-
 .../StaxSymmetricBindingHandler.java               |  2 +-
 .../policyhandlers/SymmetricBindingHandler.java    |  9 +++++----
 .../policyhandlers/TransportBindingHandler.java    |  3 ++-
 9 files changed, 37 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index e13dff3..649532f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -290,6 +290,11 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
      */
     public static final String SECURITY_CONTEXT_CREATOR = "ws-security.security.context.creator";
     
+    /**
+     * The security token lifetime value (in milliseconds). The default is "300000" (5 minutes).
+     */
+    public static final String SECURITY_TOKEN_LIFETIME = "ws-security.security.token.lifetime";
+    
     //
     // Validator implementations for validating received security tokens
     //
@@ -411,7 +416,7 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
             CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION,

             POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM,
-            SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR
+            SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME
         }));
         for (String commonProperty : COMMON_PROPERTIES) {
             s.add(commonProperty);

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index e6bdab0..7b5a1a3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -59,6 +59,7 @@ import org.apache.cxf.ws.security.trust.STSUtils;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.neethi.All;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.ExactlyOne;
@@ -330,7 +331,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
 
             byte clientEntropy[] = null;
             int keySize = 256;
-            long ttl = 300000L;
+            long ttl = WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage());
             String tokenType = null;
             Element el = DOMUtils.getFirstElement(requestEl);
             while (el != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 4c2f371..30d5323 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -51,6 +51,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.STSUtils;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.neethi.All;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.ExactlyOne;
@@ -195,7 +196,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             // Lifetime
             Date created = new Date();
             Date expires = new Date();
-            expires.setTime(created.getTime() + 300000L);
+            expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage()));
             
             SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
             token.setToken(sct.getElement());

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
index 4869b10..03e2101 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
@@ -72,6 +72,21 @@ public final class WSS4JUtils {
     private WSS4JUtils() {
         // complete
     }
+    
+    /**
+     * Get the security token lifetime value (in milliseconds). The default is "300000" (5
minutes).
+     * @return the security token lifetime value in milliseconds
+     */
+    public static long getSecurityTokenLifetime(Message message) {
+        if (message != null) {
+            String tokenLifetime = 
+                (String)message.getContextualProperty(SecurityConstants.SECURITY_TOKEN_LIFETIME);
+            if (tokenLifetime != null) {
+                return Long.parseLong(tokenLifetime);
+            }
+        }
+        return 300000L;
+    }
 
     /**
      * Get a ReplayCache instance. It first checks to see whether caching has been explicitly

@@ -148,7 +163,7 @@ public final class WSS4JUtils {
         if (existingToken == null || existingToken.isExpired()) {
             Date created = new Date();
             Date expires = new Date();
-            expires.setTime(created.getTime() + 300000);
+            expires.setTime(created.getTime() + getSecurityTokenLifetime(message));
 
             SecurityToken cachedTok = new SecurityToken(securityToken.getId(), created, expires);
             cachedTok.setSHA1(securityToken.getSha1Identifier());

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index d891787..c59d16c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1896,7 +1896,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
                 Date created = new Date();
                 Date expires = new Date();
-                expires.setTime(created.getTime() + 300000);
+                expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
                 SecurityToken secToken = 
                     new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires);
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index d771190..33d3ea5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -45,6 +45,7 @@ import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
 import org.apache.cxf.ws.security.wss4j.StaxSerializer;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.wss4j.common.WSEncryptionPart;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.derivedKey.ConversationConstants;
@@ -810,7 +811,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                     || actInt.intValue() == WSConstants.ST_UNSIGNED) {
                     Date created = new Date();
                     Date expires = new Date();
-                    expires.setTime(created.getTime() + 300000);
+                    expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
                     SecurityToken tempTok = new SecurityToken(id, created, expires);
                     tempTok.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
                     tempTok.setX509Certificate(

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index a23ad09..9ad0ee9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -602,7 +602,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler
{
         
         Date created = new Date();
         Date expires = new Date();
-        expires.setTime(created.getTime() + 300000L);
+        expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
         SecurityToken tempTok = 
             new SecurityToken(IDGenerator.generateID(null), created, expires);
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 61e388f..c70b5f7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -44,6 +44,7 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
 import org.apache.cxf.ws.security.wss4j.StaxSerializer;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.wss4j.common.WSEncryptionPart;
 import org.apache.wss4j.common.bsp.BSPEnforcer;
 import org.apache.wss4j.common.crypto.Crypto;
@@ -914,7 +915,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
 
         Date created = new Date();
         Date expires = new Date();
-        expires.setTime(created.getTime() + 300000);
+        expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
         SecurityToken tempTok = new SecurityToken(
                         id, 
                         encrKey.getEncryptedKeyElement(),
@@ -959,7 +960,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
 
         Date created = new Date();
         Date expires = new Date();
-        expires.setTime(created.getTime() + 300000);
+        expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
         SecurityToken tempTok = 
             new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
         tempTok.setSecret(secret);
@@ -975,7 +976,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             // Store it in the cache
             Date created = new Date();
             Date expires = new Date();
-            expires.setTime(created.getTime() + 300000);
+            expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
             
             String encryptedKeyID = (String)encryptedKeyResult.get(WSSecurityEngineResult.TAG_ID);
             SecurityToken tempTok = new SecurityToken(encryptedKeyID, created, expires);
@@ -1007,7 +1008,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
                     }
                     Date created = new Date();
                     Date expires = new Date();
-                    expires.setTime(created.getTime() + 300000);
+                    expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
                     SecurityToken tempTok = new SecurityToken(utID, created, expires);
 
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);

http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 15b2162..4e092d7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.wss4j.common.WSEncryptionPart;
 import org.apache.wss4j.common.bsp.BSPEnforcer;
 import org.apache.wss4j.common.crypto.Crypto;
@@ -329,7 +330,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
 
             Date created = new Date();
             Date expires = new Date();
-            expires.setTime(created.getTime() + 300000);
+            expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
             SecurityToken tempTok = 
                 new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
             tempTok.setSecret(secret);


Mime
View raw message