Return-Path: X-Original-To: apmail-ws-dev-archive@www.apache.org Delivered-To: apmail-ws-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3AF3F115A5 for ; Thu, 28 Aug 2014 09:45:58 +0000 (UTC) Received: (qmail 46197 invoked by uid 500); 28 Aug 2014 09:45:57 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 46038 invoked by uid 500); 28 Aug 2014 09:45:57 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 46027 invoked by uid 99); 28 Aug 2014 09:45:57 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Aug 2014 09:45:57 +0000 Date: Thu, 28 Aug 2014 09:45:57 +0000 (UTC) From: "Colm O hEigeartaigh (JIRA)" To: dev@ws.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WSS-509) SecurityToken::isExpired: add clock skew option MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WSS-509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14113616#comment-14113616 ] Colm O hEigeartaigh commented on WSS-509: ----------------------------------------- What race conditions are you seeing? IMO it is not a good idea to add a "clock skew" option to the expiry of tokens. It's used in WSS4J for the "creation" of tokens only (SAML NotOnOrAfter / Timestamp Created). Why not just increase the expiry value when generating the tokens in the STS? Colm. > SecurityToken::isExpired: add clock skew option > ----------------------------------------------- > > Key: WSS-509 > URL: https://issues.apache.org/jira/browse/WSS-509 > Project: WSS4J > Issue Type: Improvement > Components: WSS4J Core > Affects Versions: 1.6.16 > Reporter: Willem Salembier > Assignee: Colm O hEigeartaigh > Fix For: 1.6.17 > > > We notice race conditions with some of our clients when CXF verifies if SecurityTokens cached locally are still valid or expired. One reason could be clock desynchronization, another reason is that while the token was still valid at the moment of request construction, it isn't when the SOAP message arrives on the server (1s difference suffices). > Is it possible to add a clock skew option to org.apache.cxf.ws.security.tokenstore.SecurityToken.isExpired() cfr whats been done in org.apache.ws.security.validate.SamlAssertionValidator.checkConditions(AssertionWrapper) with the futureTTL property. In SamlAssertionValidator the futureTTl is only used in the validFrom comparison, but in our case it should be considered also in the validTill comparison. > A possible workaround is to configure our STS to initialize Lifetime>Expires in the RSTR response to SAMLAssertion > Conditions > NotOnOrAfter - clock skew. -- This message was sent by Atlassian JIRA (v6.2#6252) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org For additional commands, e-mail: dev-help@ws.apache.org