cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: Finished Java 8 DateTime work
Date Wed, 22 Mar 2017 11:14:10 GMT
Finished Java 8 DateTime work


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/06588cac
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/06588cac
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/06588cac

Branch: refs/heads/master
Commit: 06588cac671464bb900453919cad18b3e47a8d4b
Parents: a4b9845
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Mar 22 10:50:48 2017 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Mar 22 10:50:48 2017 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/jose/jwt/JwtUtils.java      | 38 +++++++-------
 .../filters/AccessTokenIntrospectionClient.java |  5 +-
 .../oauth2/filters/JwtAccessTokenValidator.java |  5 +-
 ...AbstractRequestAssertionConsumerHandler.java |  9 ++--
 .../security/saml/sso/AbstractSSOSpHandler.java | 14 ++---
 .../saml/sso/SAMLSSOResponseValidator.java      | 22 ++++----
 .../security/saml/sso/SSOValidatorResponse.java | 14 ++---
 .../policy/interceptors/STSInvoker.java         | 11 ++--
 .../SecureConversationInInterceptor.java        |  9 ++--
 .../SpnegoContextTokenInInterceptor.java        |  9 ++--
 .../security/tokenstore/MemoryTokenStore.java   |  8 ++-
 .../ws/security/tokenstore/SecurityToken.java   |  9 ++--
 .../ws/security/trust/AbstractSTSClient.java    | 10 ++--
 .../cxf/ws/security/wss4j/WSS4JUtils.java       |  9 ++--
 .../policyhandlers/AbstractBindingBuilder.java  | 19 ++++---
 .../AsymmetricBindingHandler.java               |  9 ++--
 .../StaxSymmetricBindingHandler.java            |  9 ++--
 .../policyhandlers/SymmetricBindingHandler.java | 29 +++++------
 .../policyhandlers/TransportBindingHandler.java | 11 ++--
 .../tokenstore/MemoryTokenStoreTest.java        |  7 ++-
 .../cxf/sts/cache/HazelCastTokenStore.java      |  8 ++-
 .../cxf/sts/operation/AbstractOperation.java    | 21 ++++----
 .../provider/DefaultConditionsProvider.java     | 12 ++---
 .../cxf/sts/token/provider/SCTProvider.java     | 13 +++--
 .../provider/jwt/DefaultJWTClaimsProvider.java  | 20 ++++----
 .../apache/cxf/sts/operation/IssueUnitTest.java | 10 ++--
 .../cxf/sts/operation/RenewSamlUnitTest.java    | 10 ++--
 .../token/provider/JWTProviderLifetimeTest.java | 54 ++++++++++----------
 .../provider/SAMLProviderLifetimeTest.java      | 54 ++++++++++----------
 .../renewer/SAMLTokenRenewerLifetimeTest.java   | 42 +++++++--------
 .../token/renewer/SAMLTokenRenewerPOPTest.java  | 13 ++---
 .../renewer/SAMLTokenRenewerRealmTest.java      | 13 ++---
 .../sts/token/renewer/SAMLTokenRenewerTest.java | 13 ++---
 .../token/validator/SAMLTokenValidatorTest.java | 12 ++---
 .../systest/sts/batch/SimpleBatchSTSClient.java | 10 ++--
 .../cxf/systest/sts/caching/CachingTest.java    |  5 +-
 .../stsclient/STSTokenOutInterceptorTest.java   |  5 +-
 .../sts/stsclient/STSTokenRetrieverTest.java    |  5 +-
 .../cxf/xkms/x509/validator/DateValidator.java  |  7 ++-
 .../security/jose/jwt/JWTAlgorithmTest.java     | 36 ++++++-------
 .../security/jose/jwt/JWTAuthnAuthzTest.java    | 12 ++---
 .../security/oauth2/common/OAuth2TestUtils.java |  9 ++--
 .../grants/AuthorizationGrantNegativeTest.java  |  9 ++--
 .../security/oidc/IdTokenProviderImpl.java      |  9 ++--
 .../jaxrs/security/oidc/OIDCFlowTest.java       |  6 +--
 .../jaxrs/security/oidc/OIDCNegativeTest.java   |  6 +--
 46 files changed, 329 insertions(+), 341 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 844c229..9ea3904 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -18,7 +18,7 @@
  */
 package org.apache.cxf.rs.security.jose.jwt;
 
-import java.util.Date;
+import java.time.Instant;
 
 import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
 import org.apache.cxf.message.Message;
@@ -49,12 +49,12 @@ public final class JwtUtils {
             }
             return;
         }
-        Date rightNow = new Date();
-        Date expiresDate = new Date(expiryTime * 1000L);
+        Instant now = Instant.now();
+        Instant expires = Instant.ofEpochMilli(expiryTime * 1000L);
         if (clockOffset != 0) {
-            expiresDate.setTime(expiresDate.getTime() + (long)clockOffset * 1000L);
+            expires = expires.plusSeconds(clockOffset);
         }
-        if (expiresDate.before(rightNow)) {
+        if (expires.isBefore(now)) {
             throw new JwtException("The token has expired");
         }
     }
@@ -68,15 +68,14 @@ public final class JwtUtils {
             return;
         }
 
-        Date validCreation = new Date();
-        long currentTime = validCreation.getTime();
+        Instant validCreation = Instant.now();
         if (clockOffset != 0) {
-            validCreation.setTime(currentTime + (long)clockOffset * 1000L);
+            validCreation = validCreation.plusSeconds(clockOffset);
         }
-        Date notBeforeDate = new Date(notBeforeTime * 1000L);
+        Instant notBeforeDate = Instant.ofEpochMilli(notBeforeTime * 1000L);
 
         // Check to see if the not before time is in the future
-        if (notBeforeDate.after(validCreation)) {
+        if (notBeforeDate.isAfter(validCreation)) {
             throw new JwtException("The token cannot be accepted yet");
         }
     }
@@ -90,25 +89,24 @@ public final class JwtUtils {
             return;
         }
 
-        Date createdDate = new Date(issuedAtInSecs * 1000L);
-        Date validCreation = new Date();
-        long currentTime = validCreation.getTime();
-        if (clockOffset > 0) {
-            validCreation.setTime(currentTime + (long)clockOffset * 1000L);
+        Instant createdDate = Instant.ofEpochMilli(issuedAtInSecs * 1000L);
+        
+        Instant validCreation = Instant.now();
+        if (clockOffset != 0) {
+            validCreation = validCreation.plusSeconds(clockOffset);
         }
-
+        
         // Check to see if the IssuedAt time is in the future
-        if (createdDate.after(validCreation)) {
+        if (createdDate.isAfter(validCreation)) {
             throw new JwtException("Invalid issuedAt");
         }
 
         if (timeToLive > 0) {
             // Calculate the time that is allowed for the message to travel
-            currentTime -= (long)timeToLive * 1000L;
-            validCreation.setTime(currentTime);
+            validCreation = validCreation.minusSeconds(timeToLive);
 
             // Validate the time it took the message to travel
-            if (createdDate.before(validCreation)) {
+            if (createdDate.isBefore(validCreation)) {
                 throw new JwtException("Invalid issuedAt");
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
index 0e86a2a..f5aba4b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
@@ -18,8 +18,8 @@
  */
 package org.apache.cxf.rs.security.oauth2.filters;
 
+import java.time.Instant;
 import java.util.Collections;
-import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
 
@@ -70,7 +70,8 @@ public class AccessTokenIntrospectionClient implements AccessTokenValidator {
         if (response.getIat() != null) {
             atv.setTokenIssuedAt(response.getIat());
         } else {
-            atv.setTokenIssuedAt(new Date().getTime());
+            Instant now = Instant.now();
+            atv.setTokenIssuedAt(now.toEpochMilli());
         }
         if (response.getExp() != null) {
             atv.setTokenLifetime(response.getExp() - atv.getTokenIssuedAt());

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
index a1f3b0f..e9388b9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
@@ -18,8 +18,8 @@
  */
 package org.apache.cxf.rs.security.oauth2.filters;
 
+import java.time.Instant;
 import java.util.Collections;
-import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -74,7 +74,8 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements AccessTo
         if (claims.getIssuedAt() != null) {
             atv.setTokenIssuedAt(claims.getIssuedAt());
         } else {
-            atv.setTokenIssuedAt(new Date().getTime());
+            Instant now = Instant.now();
+            atv.setTokenIssuedAt(now.toEpochMilli());
         }
         if (claims.getExpiryTime() != null) {
             atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt());

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index ffca76f..e9c0e16 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -24,7 +24,7 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
-import java.util.Date;
+import java.time.Instant;
 import java.util.ResourceBundle;
 import java.util.UUID;
 import java.util.logging.Level;
@@ -178,10 +178,10 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
         String securityContextKey = UUID.randomUUID().toString();
 
         long currentTime = System.currentTimeMillis();
-        Date notOnOrAfter = validatorResponse.getSessionNotOnOrAfter();
+        Instant notOnOrAfter = validatorResponse.getSessionNotOnOrAfter();
         long expiresAt = 0;
         if (notOnOrAfter != null) {
-            expiresAt = notOnOrAfter.getTime();
+            expiresAt = notOnOrAfter.toEpochMilli();
         } else {
             expiresAt = currentTime + getStateTimeToLive();
         }
@@ -221,13 +221,14 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
             }
 
             // Otherwise create a new one for the IdP initiated case
+            Instant now = Instant.now();
             return new RequestState(urlToForwardTo,
                                     getIdpServiceAddress(),
                                     null,
                                     getIssuerId(JAXRSUtils.getCurrentMessage()),
                                     "/",
                                     null,
-                                    new Date().getTime());
+                                    now.toEpochMilli());
         }
 
         if (relayState == null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
index 5efd79a..e4d81bb 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
@@ -19,7 +19,8 @@
 package org.apache.cxf.rs.security.saml.sso;
 
 import java.io.IOException;
-import java.util.Date;
+import java.time.Instant;
+import java.time.ZoneOffset;
 import java.util.Properties;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -125,8 +126,8 @@ public class AbstractSSOSpHandler {
         // Note that the Expires property has been deprecated but apparently is
         // supported better than 'max-age' property by different browsers
         // (Firefox, IE, etc)
-        Date expiresDate = new Date(System.currentTimeMillis() + stateTimeToLive);
-        String cookieExpires = HttpUtils.getHttpDateFormat().format(expiresDate);
+        Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
+        String cookieExpires = HttpUtils.getHttpDateFormat().format(expires.atZone(ZoneOffset.UTC));
         contextCookie += ";Expires=" + cookieExpires;
         //TODO: Consider adding an 'HttpOnly' attribute
 
@@ -134,12 +135,13 @@ public class AbstractSSOSpHandler {
     }
 
     protected boolean isStateExpired(long stateCreatedAt, long expiresAt) {
-        Date currentTime = new Date();
-        if (currentTime.after(new Date(stateCreatedAt + getStateTimeToLive()))) {
+        Instant currentTime = Instant.now();
+        Instant expires = Instant.ofEpochMilli(stateCreatedAt  + getStateTimeToLive());
+        if (currentTime.isAfter(expires)) {
             return true;
         }
 
-        return expiresAt > 0 && currentTime.after(new Date(expiresAt));
+        return expiresAt > 0 && currentTime.isAfter(Instant.ofEpochMilli(expiresAt));
     }
 
     public void setStateProvider(SPStateManager stateProvider) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 0d7af23..19304d8 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -18,7 +18,8 @@
  */
 package org.apache.cxf.rs.security.saml.sso;
 
-import java.util.Date;
+import java.time.Duration;
+import java.time.Instant;
 import java.util.List;
 import java.util.logging.Logger;
 
@@ -100,7 +101,7 @@ public class SAMLSSOResponseValidator {
 
         // Validate Assertions
         org.opensaml.saml.saml2.core.Assertion validAssertion = null;
-        Date sessionNotOnOrAfter = null;
+        Instant sessionNotOnOrAfter = null;
         for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) {
             // Check the Issuer
             if (assertion.getIssuer() == null) {
@@ -126,12 +127,15 @@ public class SAMLSSOResponseValidator {
                     // Store Session NotOnOrAfter
                     for (AuthnStatement authnStatment : assertion.getAuthnStatements()) {
                         if (authnStatment.getSessionNotOnOrAfter() != null) {
-                            sessionNotOnOrAfter = authnStatment.getSessionNotOnOrAfter().toDate();
+                            sessionNotOnOrAfter =
+                                Instant.ofEpochMilli(authnStatment.getSessionNotOnOrAfter().toDate().getTime());
                         }
                     }
                     // Fall back to the SubjectConfirmationData NotOnOrAfter if we have no session NotOnOrAfter
                     if (sessionNotOnOrAfter == null) {
-                        sessionNotOnOrAfter = subjectConf.getSubjectConfirmationData().getNotOnOrAfter().toDate();
+                        sessionNotOnOrAfter =
+                            Instant.ofEpochMilli(subjectConf.getSubjectConfirmationData()
+                                                 .getNotOnOrAfter().toDate().getTime());
                     }
                 }
             }
@@ -147,7 +151,7 @@ public class SAMLSSOResponseValidator {
         validatorResponse.setResponseId(samlResponse.getID());
         validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter);
         if (samlResponse.getIssueInstant() != null) {
-            validatorResponse.setCreated(samlResponse.getIssueInstant().toDate());
+            validatorResponse.setCreated(Instant.ofEpochMilli(samlResponse.getIssueInstant().toDate().getTime()));
         }
 
         Element assertionElement = validAssertion.getDOM();
@@ -234,10 +238,10 @@ public class SAMLSSOResponseValidator {
         // Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
         if (postBinding && replayCache != null) {
             if (replayCache.getId(id) == null) {
-                Date expires = subjectConfData.getNotOnOrAfter().toDate();
-                Date currentTime = new Date();
-                long ttl = expires.getTime() - currentTime.getTime();
-                replayCache.putId(id, ttl / 1000L);
+                Instant expires = Instant.ofEpochMilli(subjectConfData.getNotOnOrAfter().toDate().getTime());
+                Instant currentTime = Instant.now();
+                long ttl = Duration.between(currentTime, expires).getSeconds();
+                replayCache.putId(id, ttl);
             } else {
                 LOG.fine("Replay attack with token id: " + id);
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java
index 6c0b59c..ee6d3eb 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SSOValidatorResponse.java
@@ -18,7 +18,7 @@
  */
 package org.apache.cxf.rs.security.saml.sso;
 
-import java.util.Date;
+import java.time.Instant;
 
 import org.w3c.dom.Element;
 
@@ -26,8 +26,8 @@ import org.w3c.dom.Element;
  * Some information that encapsulates a successful validation by the SAMLSSOResponseValidator
  */
 public class SSOValidatorResponse {
-    private Date sessionNotOnOrAfter;
-    private Date created;
+    private Instant sessionNotOnOrAfter;
+    private Instant created;
     private String responseId;
     private String assertion;
     private Element assertionElement;
@@ -40,11 +40,11 @@ public class SSOValidatorResponse {
         this.assertion = assertion;
     }
 
-    public Date getSessionNotOnOrAfter() {
+    public Instant getSessionNotOnOrAfter() {
         return sessionNotOnOrAfter;
     }
 
-    public void setSessionNotOnOrAfter(Date sessionNotOnOrAfter) {
+    public void setSessionNotOnOrAfter(Instant sessionNotOnOrAfter) {
         this.sessionNotOnOrAfter = sessionNotOnOrAfter;
     }
 
@@ -64,11 +64,11 @@ public class SSOValidatorResponse {
         this.assertionElement = assertionElement;
     }
 
-    public Date getCreated() {
+    public Instant getCreated() {
         return created;
     }
 
-    public void setCreated(Date created) {
+    public void setCreated(Instant created) {
         this.created = created;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
index b8b520b..396dcad 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
@@ -20,7 +20,8 @@
 package org.apache.cxf.ws.security.policy.interceptors;
 
 import java.security.NoSuchAlgorithmException;
-import java.time.ZonedDateTime;
+import java.time.Instant;
+import java.time.ZoneOffset;
 import java.util.Base64;
 import java.util.logging.Logger;
 
@@ -286,19 +287,19 @@ abstract class STSInvoker implements Invoker {
 
     void writeLifetime(
         W3CDOMStreamWriter writer,
-        ZonedDateTime created,
-        ZonedDateTime expires,
+        Instant created,
+        Instant expires,
         String prefix,
         String namespace
     ) throws Exception {
         writer.writeStartElement(prefix, "Lifetime", namespace);
         writer.writeNamespace("wsu", WSConstants.WSU_NS);
         writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
-        writer.writeCharacters(DateUtil.getDateTimeFormatter(true).format(created));
+        writer.writeCharacters(created.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         writer.writeEndElement();
 
         writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
-        writer.writeCharacters(DateUtil.getDateTimeFormatter(true).format(expires));
+        writer.writeCharacters(expires.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         writer.writeEndElement();
         writer.writeEndElement();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index 36f163d..648706f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -19,8 +19,7 @@
 
 package org.apache.cxf.ws.security.policy.interceptors;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Collection;
@@ -376,10 +375,10 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
                         .createSecureId("sctId-", sct.getElement()));
             }
 
-            ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expires = created.plusSeconds(ttl / 1000L);
+            Instant created = Instant.now();
+            Instant expires = created.plusSeconds(ttl / 1000L);
 
-            SecurityToken token = new SecurityToken(sct.getIdentifier(), created.toInstant(), expires.toInstant());
+            SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
             token.setToken(sct.getElement());
             token.setTokenType(sct.getTokenType());
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 0032128..21c42d8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -19,8 +19,7 @@
 
 package org.apache.cxf.ws.security.policy.interceptors;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.Base64;
 import java.util.Collection;
 
@@ -195,11 +194,11 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             sct.setID(wssConfig.getIdAllocator().createId("sctId-", sct));
 
             // Lifetime
-            ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expires = 
+            Instant created = Instant.now();
+            Instant expires =
                 created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage()) / 1000L);
 
-            SecurityToken token = new SecurityToken(sct.getIdentifier(), created.toInstant(), expires.toInstant());
+            SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
             token.setToken(sct.getElement());
             token.setTokenType(sct.getTokenType());
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
index 731c181..019ed5d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
@@ -20,8 +20,6 @@
 package org.apache.cxf.ws.security.tokenstore;
 
 import java.time.Instant;
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.Collection;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -86,7 +84,7 @@ public class MemoryTokenStore implements TokenStore {
     }
 
     protected void processTokenExpiry() {
-        Instant current = ZonedDateTime.now(ZoneOffset.UTC).toInstant();
+        Instant current = Instant.now();
         synchronized (tokens) {
             for (Map.Entry<String, CacheEntry> entry : tokens.entrySet()) {
                 if (entry.getValue().getExpiry().isBefore(current)) {
@@ -97,8 +95,8 @@ public class MemoryTokenStore implements TokenStore {
     }
 
     private CacheEntry createCacheEntry(SecurityToken token) {
-        ZonedDateTime expires = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(ttl);
-        return new CacheEntry(token, expires.toInstant());
+        Instant expires = Instant.now().plusSeconds(ttl);
+        return new CacheEntry(token, expires);
     }
 
     private static class CacheEntry {

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
index 181d900..eac0b0c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
@@ -28,7 +28,6 @@ import java.security.Key;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
-import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeParseException;
 import java.util.Map;
@@ -365,8 +364,8 @@ public class SecurityToken implements Serializable {
      */
     public boolean isExpired() {
         if (expires != null) {
-            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
-            if (expires.isBefore(now.toInstant())) {
+            Instant now = Instant.now();
+            if (expires.isBefore(now)) {
                 return true;
             }
         }
@@ -378,8 +377,8 @@ public class SecurityToken implements Serializable {
      */
     public boolean isAboutToExpire(long secondsToExpiry) {
         if (expires != null && secondsToExpiry > 0) {
-            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(secondsToExpiry);
-            if (expires.isBefore(now.toInstant())) {
+            Instant now = Instant.now().plusSeconds(secondsToExpiry);
+            if (expires.isBefore(now)) {
                 return true;
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index 592c7e2..830195f 100755
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -24,8 +24,8 @@ import java.io.StringReader;
 import java.net.URL;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.HashMap;
@@ -1376,17 +1376,17 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
     }
 
     protected void addLifetime(XMLStreamWriter writer) throws XMLStreamException {
-        ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expires = created.plusSeconds(ttl);
+        Instant created = Instant.now();
+        Instant expires = created.plusSeconds(ttl);
 
         writer.writeStartElement("wst", "Lifetime", namespace);
         writer.writeNamespace("wsu", WSConstants.WSU_NS);
         writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
-        writer.writeCharacters(DateUtil.getDateTimeFormatter(true).format(created));
+        writer.writeCharacters(created.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         writer.writeEndElement();
 
         writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
-        writer.writeCharacters(DateUtil.getDateTimeFormatter(true).format(expires));
+        writer.writeCharacters(expires.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         writer.writeEndElement();
         writer.writeEndElement();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
index 46506e9..cc79367 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
@@ -23,8 +23,7 @@ import java.io.InputStream;
 import java.net.URL;
 import java.security.Key;
 import java.security.cert.X509Certificate;
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -162,11 +161,11 @@ public final class WSS4JUtils {
         }
         SecurityToken existingToken = TokenStoreUtils.getTokenStore(message).getToken(securityToken.getId());
         if (existingToken == null || existingToken.isExpired()) {
-            ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expires = created.plusSeconds(getSecurityTokenLifetime(message) / 1000L);
+            Instant created = Instant.now();
+            Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
 
             SecurityToken cachedTok =
-                new SecurityToken(securityToken.getId(), created.toInstant(), expires.toInstant());
+                new SecurityToken(securityToken.getId(), created, expires);
             cachedTok.setSHA1(securityToken.getSha1Identifier());
 
             if (securityToken.getTokenType() != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 446f36a..ce689b3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -21,8 +21,7 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
 import java.net.URL;
 import java.security.cert.X509Certificate;
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -545,8 +544,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         return ret;
     }
     
-    private SupportingToken signSupportingToken(SecurityToken secToken, String id, 
-                                                AbstractToken token, SupportingTokens suppTokens) 
+    private SupportingToken signSupportingToken(SecurityToken secToken, String id,
+                                                AbstractToken token, SupportingTokens suppTokens)
         throws SOAPException {
         WSSecSignature sig = new WSSecSignature(secHeader);
         sig.setIdAllocator(wssConfig.getIdAllocator());
@@ -1931,12 +1930,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                 WSSecUsernameToken utBuilder = (WSSecUsernameToken)tempTok;
                 String id = utBuilder.getId();
 
-                ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-                ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
-                SecurityToken secToken = new SecurityToken(id, 
-                                                           utBuilder.getUsernameTokenElement(), 
-                                                           created.toInstant(), 
-                                                           expires.toInstant());
+                Instant created = Instant.now();
+                Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+                SecurityToken secToken = new SecurityToken(id,
+                                                           utBuilder.getUsernameTokenElement(),
+                                                           created,
+                                                           expires);
 
                 if (isTokenProtection) {
                     sigParts.add(new WSEncryptionPart(secToken.getId()));

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 80f162a..33434b8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -21,8 +21,7 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -815,9 +814,9 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 String id = (String)wser.get(WSSecurityEngineResult.TAG_ID);
                 if (actInt.intValue() == WSConstants.ST_SIGNED
                     || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                    ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-                    ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
-                    SecurityToken tempTok = new SecurityToken(id, created.toInstant(), expires.toInstant());
+                    Instant created = Instant.now();
+                    Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+                    SecurityToken tempTok = new SecurityToken(id, created, expires);
                     tempTok.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
                     tempTok.setX509Certificate(
                         (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE), null

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index 8aa4ea2..6c80607 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -19,8 +19,7 @@
 
 package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -601,10 +600,10 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
 
     private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
 
-        ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+        Instant created = Instant.now();
+        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
         SecurityToken tempTok =
-            new SecurityToken(IDGenerator.generateID(null), created.toInstant(), expires.toInstant());
+            new SecurityToken(IDGenerator.generateID(null), created, expires);
 
         KeyGenerator keyGenerator =
             KeyUtils.getKeyGenerator(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption());

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 3e06d84..f705f84 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -19,8 +19,7 @@
 
 package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
@@ -921,13 +920,13 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         String id = encrKey.getId();
         byte[] secret = encrKey.getEphemeralKey();
 
-        ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+        Instant created = Instant.now();
+        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
         SecurityToken tempTok = new SecurityToken(
                         id,
                         encrKey.getEncryptedKeyElement(),
-                        created.toInstant(),
-                        expires.toInstant());
+                        created,
+                        expires);
 
 
         tempTok.setSecret(secret);
@@ -965,10 +964,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         String id = usernameToken.getId();
         byte[] secret = usernameToken.getDerivedKey();
 
-        ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+        Instant created = Instant.now();
+        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
         SecurityToken tempTok =
-            new SecurityToken(id, usernameToken.getUsernameTokenElement(), created.toInstant(), expires.toInstant());
+            new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
         tempTok.setSecret(secret);
 
         tokenStore.add(tempTok);
@@ -980,11 +979,11 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         WSSecurityEngineResult encryptedKeyResult = getEncryptedKeyResult();
         if (encryptedKeyResult != null) {
             // Store it in the cache
-            ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+            Instant created = Instant.now();
+            Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
 
             String encryptedKeyID = (String)encryptedKeyResult.get(WSSecurityEngineResult.TAG_ID);
-            SecurityToken securityToken = new SecurityToken(encryptedKeyID, created.toInstant(), expires.toInstant());
+            SecurityToken securityToken = new SecurityToken(encryptedKeyID, created, expires);
             securityToken.setSecret((byte[])encryptedKeyResult.get(WSSecurityEngineResult.TAG_SECRET));
             securityToken.setSHA1(getSHA1((byte[])encryptedKeyResult
                                     .get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
@@ -1010,9 +1009,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                     if (utID == null || utID.length() == 0) {
                         utID = wssConfig.getIdAllocator().createId("UsernameToken-", null);
                     }
-                    ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-                    ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
-                    SecurityToken securityToken = new SecurityToken(utID, created.toInstant(), expires.toInstant());
+                    Instant created = Instant.now();
+                    Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+                    SecurityToken securityToken = new SecurityToken(utID, created, expires);
 
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                     securityToken.setSecret(secret);

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index a8ef6fe..ff9b311 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -19,8 +19,7 @@
 
 package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -329,12 +328,12 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             String id = usernameToken.getId();
             byte[] secret = usernameToken.getDerivedKey();
 
-            ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+            Instant created = Instant.now();
+            Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
             SecurityToken tempTok = new SecurityToken(id,
                                                       usernameToken.getUsernameTokenElement(),
-                                                      created.toInstant(),
-                                                      expires.toInstant());
+                                                      created,
+                                                      expires);
             tempTok.setSecret(secret);
             getTokenStore().add(tempTok);
             message.put(SecurityConstants.TOKEN_ID, tempTok.getId());

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
index faba41e..2edfd87 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java
@@ -18,8 +18,7 @@
  */
 package org.apache.cxf.ws.security.tokenstore;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageImpl;
@@ -76,8 +75,8 @@ public class MemoryTokenStoreTest extends org.junit.Assert {
     public void testTokenExpiry() {
         SecurityToken token = new SecurityToken();
 
-        ZonedDateTime expires = ZonedDateTime.now(ZoneOffset.UTC).plusMinutes(5L);
-        token.setExpires(expires.toInstant());
+        Instant expires = Instant.now().plusSeconds(5L * 60L);
+        token.setExpires(expires);
 
         assertFalse(token.isExpired());
         assertFalse(token.isAboutToExpire(100L));

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
index c847e4d..28ab73a 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java
@@ -21,8 +21,6 @@ package org.apache.cxf.sts.cache;
 
 import java.time.Duration;
 import java.time.Instant;
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.Collection;
 import java.util.concurrent.TimeUnit;
 
@@ -129,12 +127,12 @@ public class HazelCastTokenStore implements TokenStore {
         int parsedTTL = 0;
         if (token.getExpires() != null) {
             Instant expires = token.getExpires();
-            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
-            if (expires.isBefore(now.toInstant())) {
+            Instant now = Instant.now();
+            if (expires.isBefore(now)) {
                 return 0;
             }
             
-            Duration duration = Duration.between(now.toInstant(), expires);
+            Duration duration = Duration.between(now, expires);
 
             parsedTTL = (int)duration.getSeconds();
             if (duration.getSeconds() != (long)parsedTTL || parsedTTL > MAX_TTL) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index 816bf91..991e07e 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -22,7 +22,6 @@ package org.apache.cxf.sts.operation;
 import java.security.Principal;
 import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -296,20 +295,20 @@ public abstract class AbstractOperation {
         AttributedDateTime created = QNameConstants.UTIL_FACTORY.createAttributedDateTime();
         AttributedDateTime expires = QNameConstants.UTIL_FACTORY.createAttributedDateTime();
 
-        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime creationTime = now;
-        if (tokenCreated != null) {
-            creationTime = ZonedDateTime.ofInstant(tokenCreated, ZoneOffset.UTC);
+        Instant now = Instant.now();
+        Instant creationTime = tokenCreated;
+        if (tokenCreated == null) {
+            creationTime = now;
         }
         
-        long lifeTimeOfToken = 300L;
-        ZonedDateTime expirationTime = now.plusSeconds(lifeTimeOfToken);
-        if (tokenExpires != null) {
-            expirationTime = ZonedDateTime.ofInstant(tokenExpires, ZoneOffset.UTC);
+        Instant expirationTime = tokenExpires;
+        if (tokenExpires == null) {
+            long lifeTimeOfToken = 300L;
+            expirationTime = now.plusSeconds(lifeTimeOfToken);
         }
 
-        created.setValue(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        expires.setValue(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        created.setValue(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        expires.setValue(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         if (LOG.isLoggable(Level.FINE)) {
             LOG.fine("Token lifetime creation: " + created.getValue());
             LOG.fine("Token lifetime expiration: " + expires.getValue());

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
index 05bc25c..e6ec9d1 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
@@ -19,7 +19,7 @@
 package org.apache.cxf.sts.token.provider;
 
 import java.time.Duration;
-import java.time.ZoneOffset;
+import java.time.Instant;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeParseException;
 import java.util.ArrayList;
@@ -141,11 +141,11 @@ public class DefaultConditionsProvider implements ConditionsProvider {
         if (lifetime > 0) {
             if (acceptClientLifetime && tokenLifetime != null
                 && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) {
-                ZonedDateTime creationTime = null;
-                ZonedDateTime expirationTime = null;
+                Instant creationTime = null;
+                Instant expirationTime = null;
                 try {
-                    creationTime = ZonedDateTime.parse(tokenLifetime.getCreated());
-                    expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires());
+                    creationTime = ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
+                    expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
                 } catch (DateTimeParseException ex) {
                     LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
                     throw new STSException(
@@ -155,7 +155,7 @@ public class DefaultConditionsProvider implements ConditionsProvider {
                 }
 
                 // Check to see if the created time is in the future
-                ZonedDateTime validCreation = ZonedDateTime.now(ZoneOffset.UTC);
+                Instant validCreation = Instant.now();
                 if (futureTimeToLive > 0) {
                     validCreation = validCreation.plusSeconds(futureTimeToLive);
                 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
index d875b04..2cbd37a 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java
@@ -19,8 +19,7 @@
 
 package org.apache.cxf.sts.token.provider;
 
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
+import java.time.Instant;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.logging.Level;
@@ -135,16 +134,16 @@ public class SCTProvider implements TokenProvider {
             response.setComputedKey(keyHandler.isComputedKey());
 
             // putting the secret key into the cache
-            ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
-            response.setCreated(created.toInstant());
-            ZonedDateTime expires = null;
+            Instant created = Instant.now();
+            response.setCreated(created);
+            Instant expires = null;
             if (lifetime > 0) {
                 expires = created.plusSeconds(lifetime);
-                response.setExpires(expires.toInstant());
+                response.setExpires(expires);
             }
 
             SecurityToken token =
-                new SecurityToken(sct.getIdentifier(), created.toInstant(), expires.toInstant());
+                new SecurityToken(sct.getIdentifier(), created, expires);
             token.setSecret(keyHandler.getSecret());
             token.setPrincipal(tokenParameters.getPrincipal());
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java
index 3b26f0d..92c7b32b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java
@@ -20,7 +20,7 @@ package org.apache.cxf.sts.token.provider.jwt;
 
 import java.security.Principal;
 import java.time.Duration;
-import java.time.ZoneOffset;
+import java.time.Instant;
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeParseException;
 import java.util.ArrayList;
@@ -168,8 +168,8 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider {
     protected void handleConditions(JWTClaimsProviderParameters jwtClaimsProviderParameters, JwtClaims claims) {
         TokenProviderParameters providerParameters = jwtClaimsProviderParameters.getProviderParameters();
 
-        ZonedDateTime currentDate = ZonedDateTime.now(ZoneOffset.UTC);
-        long currentTime = currentDate.toEpochSecond();
+        Instant currentDate = Instant.now();
+        long currentTime = currentDate.getEpochSecond();
         
         // Set the defaults first
         claims.setIssuedAt(currentTime);
@@ -179,11 +179,11 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider {
         Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
         if (lifetime > 0 && acceptClientLifetime && tokenLifetime != null
             && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) {
-            ZonedDateTime creationTime = null;
-            ZonedDateTime expirationTime = null;
+            Instant creationTime = null;
+            Instant expirationTime = null;
             try {
-                creationTime = ZonedDateTime.parse(tokenLifetime.getCreated());
-                expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires());
+                creationTime = ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
+                expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
             } catch (DateTimeParseException ex) {
                 LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
                 throw new STSException(
@@ -193,7 +193,7 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider {
             }
 
             // Check to see if the created time is in the future
-            ZonedDateTime validCreation = ZonedDateTime.now(ZoneOffset.UTC);
+            Instant validCreation = Instant.now();
             if (futureTimeToLive > 0) {
                 validCreation = validCreation.plusSeconds(futureTimeToLive);
             }
@@ -217,10 +217,10 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider {
                 }
             }
 
-            long creationTimeInSeconds = creationTime.toEpochSecond();
+            long creationTimeInSeconds = creationTime.getEpochSecond();
             claims.setIssuedAt(creationTimeInSeconds);
             claims.setNotBefore(creationTimeInSeconds);
-            claims.setExpiryTime(expirationTime.toEpochSecond());
+            claims.setExpiryTime(expirationTime.getEpochSecond());
         }
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueUnitTest.java
index 3bdd11c..555ddfe 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueUnitTest.java
@@ -18,8 +18,8 @@
  */
 package org.apache.cxf.sts.operation;
 
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -465,11 +465,11 @@ public class IssueUnitTest extends org.junit.Assert {
         if (lifetime <= 0) {
             lifetime = 300L;
         }
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(lifetime);
+        Instant creationTime = Instant.now();
+        Instant expirationTime = creationTime.plusSeconds(lifetime);
 
-        created.setValue(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        expires.setValue(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        created.setValue(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        expires.setValue(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
 
         LifetimeType lifetimeType = QNameConstants.WS_TRUST_FACTORY.createLifetimeType();
         lifetimeType.setCreated(created);

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
index 89305c4..e9ca631 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/RenewSamlUnitTest.java
@@ -19,8 +19,8 @@
 package org.apache.cxf.sts.operation;
 
 import java.security.Principal;
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
@@ -502,11 +502,11 @@ public class RenewSamlUnitTest extends org.junit.Assert {
         if (ttlMs != 0) {
             Lifetime lifetime = new Lifetime();
             
-            ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
+            Instant creationTime = Instant.now();
+            Instant expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
 
-            lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-            lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+            lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+            lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
 
             providerParameters.getTokenRequirements().setLifetime(lifetime);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderLifetimeTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderLifetimeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderLifetimeTest.java
index 8f21291..e017c24 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderLifetimeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTProviderLifetimeTest.java
@@ -19,8 +19,8 @@
 package org.apache.cxf.sts.token.provider;
 
 import java.time.Duration;
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.Properties;
 
 import org.apache.cxf.jaxws.context.WrappedMessageContext;
@@ -65,12 +65,12 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
             createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now();
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -137,13 +137,13 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
         TokenProviderParameters providerParameters = createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to 35 minutes
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = 35 * 60L;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -171,13 +171,13 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
             createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to Default max lifetime plus 1
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = DefaultConditionsProvider.DEFAULT_MAX_LIFETIME + 1;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -209,13 +209,13 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
             createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to 35 minutes
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = 35 * 60L;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -250,13 +250,13 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
             createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now();
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
         creationTime = creationTime.plusSeconds(10);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -291,12 +291,12 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
             createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(120L);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now().plusSeconds(120L);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -338,10 +338,10 @@ public class JWTProviderLifetimeTest extends org.junit.Assert {
             createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(120L);
+        Instant creationTime = Instant.now().plusSeconds(120L);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
index 97dce88..24e1cd1 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
@@ -19,8 +19,8 @@
 package org.apache.cxf.sts.token.provider;
 
 import java.time.Duration;
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.Properties;
 
 import org.w3c.dom.Element;
@@ -68,11 +68,11 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
 
         // Set expected lifetime to 1 minute
         Lifetime lifetime = new Lifetime();
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now();
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
         assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE));
@@ -138,13 +138,13 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
             );
 
         // Set expected lifetime to 35 minutes
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = 35 * 60L;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
         assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE));
@@ -175,13 +175,13 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
             );
 
         // Set expected lifetime to Default max lifetime plus 1
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = DefaultConditionsProvider.DEFAULT_MAX_LIFETIME + 1;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
         assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE));
@@ -216,13 +216,13 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
             );
 
         // Set expected lifetime to 35 minutes
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = 35 * 60L;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -257,13 +257,13 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
             );
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now();
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
         creationTime = creationTime.plusSeconds(10L);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -298,12 +298,12 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
             );
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(120L);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now().plusSeconds(120L);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -344,10 +344,10 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
             );
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(120L);
+        Instant creationTime = Instant.now().plusSeconds(120L);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         providerParameters.getTokenRequirements().setLifetime(lifetime);
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
index ae9efb5..b1c3d4b 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerLifetimeTest.java
@@ -19,8 +19,8 @@
 package org.apache.cxf.sts.token.renewer;
 
 import java.time.Duration;
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.Properties;
 
 import javax.security.auth.callback.CallbackHandler;
@@ -84,12 +84,12 @@ public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
         TokenRenewerParameters renewerParameters = createRenewerParameters();
 
         // Set expected lifetime to 1 minute
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant creationTime = Instant.now();
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         renewerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -179,13 +179,13 @@ public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
         TokenRenewerParameters renewerParameters = createRenewerParameters();
 
         // Set expected lifetime to 35 minutes
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = 35 * 60L;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         renewerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -230,13 +230,13 @@ public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
         TokenRenewerParameters renewerParameters = createRenewerParameters();
 
         // Set expected lifetime to Default max lifetime plus 1
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = DefaultConditionsProvider.DEFAULT_MAX_LIFETIME + 1;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         renewerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -286,13 +286,13 @@ public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
         TokenRenewerParameters renewerParameters = createRenewerParameters();
 
         // Set expected lifetime to 35 minutes
-        ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
+        Instant creationTime = Instant.now();
         long requestedLifetime = 35 * 60L;
-        ZonedDateTime expirationTime = creationTime.plusSeconds(requestedLifetime);
+        Instant expirationTime = creationTime.plusSeconds(requestedLifetime);
 
         Lifetime lifetime = new Lifetime();
-        lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-        lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
         
         renewerParameters.getTokenRequirements().setLifetime(lifetime);
 
@@ -374,12 +374,12 @@ public class SAMLTokenRenewerLifetimeTest extends org.junit.Assert {
         providerParameters.getTokenRequirements().setRenewing(renewing);
 
         if (ttlMs != 0) {
-            ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
+            Instant creationTime = Instant.now();
+            Instant expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
 
             Lifetime lifetime = new Lifetime();
-            lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-            lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+            lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+            lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
 
             providerParameters.getTokenRequirements().setLifetime(lifetime);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06588cac/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerPOPTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerPOPTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerPOPTest.java
index d50da32..b4ff7d6 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerPOPTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewerPOPTest.java
@@ -18,8 +18,8 @@
  */
 package org.apache.cxf.sts.token.renewer;
 
+import java.time.Instant;
 import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -284,12 +284,13 @@ public class SAMLTokenRenewerPOPTest extends org.junit.Assert {
         providerParameters.getTokenRequirements().setRenewing(renewing);
 
         if (ttlMs != 0) {
-            ZonedDateTime creationTime = ZonedDateTime.now(ZoneOffset.UTC);
-            ZonedDateTime expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
-
             Lifetime lifetime = new Lifetime();
-            lifetime.setCreated(DateUtil.getDateTimeFormatter(true).format(creationTime));
-            lifetime.setExpires(DateUtil.getDateTimeFormatter(true).format(expirationTime));
+            
+            Instant creationTime = Instant.now();
+            Instant expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
+
+            lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+            lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
 
             providerParameters.getTokenRequirements().setLifetime(lifetime);
         }


Mime
View raw message