svn commit: r1342191 - in /cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core: ./ saml/

Thu, 24 May 2012 03:46:38 -0700 

Author: coheigea
Date: Thu May 24 10:46:10 2012
New Revision: 1342191

URL: http://svn.apache.org/viewvc?rev=1342191&view=rev
Log:
Only caching tokens until expiry

Modified:
    
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/EHCacheTokenReplayCache.java
    
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
    
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
    
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
    
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
    
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java

Modified: 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/EHCacheTokenReplayCache.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/EHCacheTokenReplayCache.java?rev=1342191&r1=1342190&r2=1342191&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/EHCacheTokenReplayCache.java
 (original)
+++ 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/EHCacheTokenReplayCache.java
 Thu May 24 10:46:10 2012
@@ -32,11 +32,12 @@ import org.apache.ws.security.util.Loade
 
 /**
  * An in-memory EHCache implementation of the TokenReplayCache interface. 
- * The default TTL is 60 minutes.
+ * The default TTL is 60 minutes and the max TTL is 12 hours.
  */
 public class EHCacheTokenReplayCache implements TokenReplayCache<String>, 
Closeable {
     
     public static final long DEFAULT_TTL = 3600L;
+    public static final long MAX_TTL = DEFAULT_TTL * 12L;
     private static final String CACHE_KEY = "fediz-replay-cache";
     private Ehcache cache;
     private CacheManager cacheManager;
@@ -85,20 +86,33 @@ public class EHCacheTokenReplayCache imp
      */
     @Override
     public void putId(String id) {
+        putId(id, ttl);
+    }
+    
+    /**
+     * Add the given identifier to the cache.
+     * @param identifier The identifier to be added
+     * @param timeToLive The length of time to cache the Identifier in seconds
+     */
+    @Override
+    public void putId(String id, long timeToLive) {
         if (id == null || "".equals(id)) {
             return;
         }
         
-        int parsedTTL = (int)ttl;
-        if (ttl != (long)parsedTTL) {
-            // Fall back to 60 minutes if the default TTL is set incorrectly
-            parsedTTL = 3600;
+        int parsedTTL = (int)timeToLive;
+        if (timeToLive != (long)parsedTTL || parsedTTL < 0 || parsedTTL > 
MAX_TTL) {
+            // Default to configured value
+            parsedTTL = (int)ttl;
+            if (ttl != (long)parsedTTL) {
+                // Fall back to 60 minutes if the default TTL is set 
incorrectly
+                parsedTTL = 3600;
+            }
         }
         
         cache.put(new Element(id, id, false, parsedTTL, parsedTTL));
     }
     
-    
     /**
      * Return the given identifier if it is contained in the cache, otherwise 
null.
      * @param id The identifier to check

Modified: 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1342191&r1=1342190&r2=1342191&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
 (original)
+++ 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
 Thu May 24 10:46:10 2012
@@ -171,7 +171,19 @@ public class FederationProcessorImpl imp
 
             if (replayCache.getId(response.getUniqueTokenId()) == null) {
                 // not cached
-                replayCache.putId(response.getUniqueTokenId());
+                Date expires = null;
+                if (lifeTime != null && lifeTime.getExpires() != null) {
+                    expires = lifeTime.getExpires();
+                } else {
+                    expires = response.getExpires();
+                }
+                if (expires != null) {
+                    Date currentTime = new Date();
+                    long ttl = expires.getTime() - currentTime.getTime();
+                    replayCache.putId(response.getUniqueTokenId(), ttl / 
1000L);
+                } else {
+                    replayCache.putId(response.getUniqueTokenId());
+                }
             } else {
                 LOG.error("Replay attack with token id: "
                         + response.getUniqueTokenId());

Modified: 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?rev=1342191&r1=1342190&r2=1342191&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
 (original)
+++ 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
 Thu May 24 10:46:10 2012
@@ -25,4 +25,5 @@ public interface TokenReplayCache<T> {
 
     void putId(T id);
 
+    void putId(T id, long timeToLive);
 }
\ No newline at end of file

Modified: 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java?rev=1342191&r1=1342190&r2=1342191&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
 (original)
+++ 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
 Thu May 24 10:46:10 2012
@@ -61,6 +61,11 @@ public final class TokenReplayCacheInMem
     public void putId(T id) {
         cache.add(id);
     }
+    
+    @Override
+    public void putId(T id, long timeToLive) {
+        cache.add(id);
+    }
 
 
 }

Modified: 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java?rev=1342191&r1=1342190&r2=1342191&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
 (original)
+++ 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
 Thu May 24 10:46:10 2012
@@ -19,6 +19,7 @@
 
 package org.apache.cxf.fediz.core;
 
+import java.util.Date;
 import java.util.List;
 
 public class TokenValidatorResponse {
@@ -29,6 +30,7 @@ public class TokenValidatorResponse {
     private String issuer;
     private String audience;
     private List<Claim> claims;
+    private Date expires;
 
 
 
@@ -63,5 +65,13 @@ public class TokenValidatorResponse {
     }
 
 
+    public Date getExpires() {
+        return expires;
+    }
+
+    public void setExpires(Date expires) {
+        this.expires = expires;
+    }
+
 
 }

Modified: 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1342191&r1=1342190&r2=1342191&view=diff
==============================================================================
--- 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
 (original)
+++ 
cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
 Thu May 24 10:46:10 2012
@@ -25,6 +25,7 @@ import java.net.URI;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -221,7 +222,8 @@ public class SAMLTokenValidator implemen
             TokenValidatorResponse response = new TokenValidatorResponse(
                     assertion.getId(), p.getName(), assertionIssuer, roles,
                     new ClaimCollection(claims), audience);
-
+            response.setExpires(getExpires(assertion));
+            
             return response;
 
         } catch (WSSecurityException ex) {
@@ -459,6 +461,20 @@ public class SAMLTokenValidator implemen
         
         return true;
     }
+    
+    private Date getExpires(AssertionWrapper assertion) {
+        DateTime validTill = null;
+        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            validTill = assertion.getSaml2().getConditions().getNotOnOrAfter();
+        } else {
+            validTill = assertion.getSaml1().getConditions().getNotOnOrAfter();
+        }
+        
+        if (validTill == null) {
+            return null;
+        }
+        return validTill.toDate();
+    }
 
     // A sample MyHandler class
     class PasswordCallbackHandler implements CallbackHandler {

Reply via email to