directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r562050 - /directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java
Date Thu, 02 Aug 2007 08:57:35 GMT
Author: erodriguez
Date: Thu Aug  2 01:57:34 2007
New Revision: 562050

URL: http://svn.apache.org/viewvc?view=rev&rev=562050
Log:
Modified the Authenticator replay cache to allow for a configurable cache expiry.  Since the
replay cache doesn't need to store Authenticator information for longer than the configured
clockskew, this allows the TGS to set the expiry to the configured allowed clockskew.

Modified:
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java?view=diff&rev=562050&r1=562049&r2=562050
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java
Thu Aug  2 01:57:34 2007
@@ -21,7 +21,6 @@
 
 
 import java.util.ArrayList;
-import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 
@@ -40,10 +39,21 @@
  */
 public class InMemoryReplayCache implements ReplayCache
 {
-    private static final long TWO_WEEKS = 1000 * 60 * 60 * 24 * 14;
-
     private List<ReplayCacheEntry> list = new ArrayList<ReplayCacheEntry>();
 
+    private long clockSkew = 5 * KerberosTime.MINUTE;
+
+
+    /**
+     * Sets the clock skew.
+     *
+     * @param clockSkew
+     */
+    public void setClockSkew( long clockSkew )
+    {
+        this.clockSkew = clockSkew;
+    }
+
 
     public synchronized boolean isReplay( KerberosPrincipal serverPrincipal, KerberosPrincipal
clientPrincipal,
         KerberosTime clientTime, int clientMicroSeconds )
@@ -55,10 +65,16 @@
         while ( it.hasNext() )
         {
             ReplayCacheEntry entry = it.next();
+
             if ( entry.equals( testEntry ) )
             {
                 return true;
             }
+
+            if ( entry.isOutsideClockSkew( clockSkew ) )
+            {
+                it.remove();
+            }
         }
 
         return false;
@@ -69,28 +85,6 @@
         KerberosTime clientTime, int clientMicroSeconds )
     {
         list.add( new ReplayCacheEntry( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds
) );
-        purgeExpired();
-    }
-
-
-    /*
-     * TODO - age needs to be configurable; requires store
-     */
-    private synchronized void purgeExpired()
-    {
-        long now = new Date().getTime();
-
-        KerberosTime age = new KerberosTime( now - TWO_WEEKS );
-
-        Iterator<ReplayCacheEntry> it = list.iterator();
-        while ( it.hasNext() )
-        {
-            ReplayCacheEntry entry = it.next();
-            if ( entry.olderThan( age ) )
-            {
-                list.remove( entry );
-            }
-        }
     }
 
     private class ReplayCacheEntry
@@ -137,12 +131,12 @@
         /**
          * Returns whether this {@link ReplayCacheEntry} is older than a given time.
          *
-         * @param time
-         * @return true if the {@link ReplayCacheEntry} is older.
+         * @param clockSkew
+         * @return true if the {@link ReplayCacheEntry}'s client time is outside the clock
skew time.
          */
-        public boolean olderThan( KerberosTime time )
+        public boolean isOutsideClockSkew( long clockSkew )
         {
-            return time.greaterThan( clientTime );
+            return !clientTime.isInClockSkew( clockSkew );
         }
     }
 }



Mime
View raw message