Repository: cxf Updated Branches: refs/heads/master eb746f58d -> 79916d34d
Some modifications to Hawk token nonce verification code, more is needed Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/79916d34 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/79916d34 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/79916d34 Branch: refs/heads/master Commit: 79916d34da80bd16321347a3eb188e20ca991456 Parents: eb746f5 Author: Sergey Beryozkin <[email protected]> Authored: Wed Nov 5 16:16:51 2014 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Nov 5 16:16:51 2014 +0000 ---------------------------------------------------------------------- .../rs/security/oauth2/tokens/hawk/Nonce.java | 11 +++++++- .../oauth2/tokens/hawk/NonceHistory.java | 28 +++++++------------- .../security/oauth2/tokens/hawk/NonceStore.java | 2 +- .../oauth2/tokens/hawk/NonceVerifierImpl.java | 23 +++++----------- 4 files changed, 28 insertions(+), 36 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/79916d34/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/Nonce.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/Nonce.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/Nonce.java index 1669001..b87d959 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/Nonce.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/Nonce.java @@ -25,7 +25,7 @@ public class Nonce implements Serializable { private static final long serialVersionUID = -6164115071533503490L; private String nonceString; - private long ts; + private Long ts; public Nonce(String nonce, long ts) { this.nonceString = nonce; @@ -39,4 +39,13 @@ public class Nonce implements Serializable { public long getTs() { return ts; } + + public int hashCode() { + return nonceString.hashCode() + 37 * ts.hashCode(); + } + public boolean equals(Object o) { + return o instanceof Nonce + && this.nonceString.equals(((Nonce)o).nonceString) + && this.ts.equals(((Nonce)o).ts); + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/79916d34/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceHistory.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceHistory.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceHistory.java index cb95e9c..99b6137 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceHistory.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceHistory.java @@ -19,42 +19,34 @@ package org.apache.cxf.rs.security.oauth2.tokens.hawk; import java.io.Serializable; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; +import java.util.Collections; +import java.util.LinkedHashSet; +import java.util.Set; public class NonceHistory implements Serializable { private static final long serialVersionUID = -6404833046910698956L; private final long requestTimeDelta; - private final List<Nonce> nonceList = new ArrayList<Nonce>(); + private final Set<Nonce> nonceList = Collections.synchronizedSet(new LinkedHashSet<Nonce>()); public NonceHistory(long requestTimeDelta, Nonce nonce) { this.requestTimeDelta = requestTimeDelta; nonceList.add(nonce); } - public void addNonce(Nonce nonce) { - nonceList.add(nonce); + public boolean addNonce(Nonce nonce) { + return nonceList.add(nonce); } public long getRequestTimeDelta() { return requestTimeDelta; } - public List<Nonce> getNonceList() { - return nonceList; - } - - public Collection<Nonce> findMatchingNonces(String nonceString, long ts) { - List<Nonce> nonceMatches = new ArrayList<Nonce>(); - for (Nonce nonce : getNonceList()) { - if (nonce.getNonceString().equals(nonceString) && nonce.getTs() == ts) { - nonceMatches.add(nonce); - } - } - return nonceMatches; + public Set<Nonce> getNonces() { + return Collections.unmodifiableSet(nonceList); } + + } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/79916d34/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceStore.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceStore.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceStore.java index 7a55d39..18199ee 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceStore.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceStore.java @@ -20,7 +20,7 @@ package org.apache.cxf.rs.security.oauth2.tokens.hawk; public interface NonceStore { - void storeNonce(String tokenKey, Nonce nonce, long requestTimeDelta); + void initNonceHistory(String tokenKey, Nonce nonce, long requestTimeDelta); NonceHistory getNonceHistory(String tokenKey); } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/79916d34/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceVerifierImpl.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceVerifierImpl.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceVerifierImpl.java index 785f6ef..4ce1f36 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceVerifierImpl.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/NonceVerifierImpl.java @@ -23,7 +23,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; public class NonceVerifierImpl implements NonceVerifier { private NonceStore nonceStore; - private long allowedWindow; // 2000 ms + private long allowedWindow; public void verifyNonce(String tokenKey, String clientNonceString, String clientTimestampString) throws OAuthServiceException { @@ -34,26 +34,17 @@ public class NonceVerifierImpl implements NonceVerifier { } long serverClock = System.currentTimeMillis(); + long clientTimestamp = Long.valueOf(clientTimestampString); NonceHistory nonceHistory = nonceStore.getNonceHistory(tokenKey); - boolean firstTimeRequest = false; + Nonce nonce = new Nonce(clientNonceString, clientTimestamp); if (nonceHistory == null) { - firstTimeRequest = true; - } - long clientTimestamp = Long.valueOf(clientTimestampString); - if (firstTimeRequest) { long requestTimeDelta = serverClock - clientTimestamp; - Nonce nonce = new Nonce(clientNonceString, clientTimestamp); - nonceStore.storeNonce(tokenKey, nonce, requestTimeDelta); + nonceStore.initNonceHistory(tokenKey, nonce, requestTimeDelta); } else { checkAdjustedRequestTime(serverClock, clientTimestamp, nonceHistory); - checkNonceHistory(nonceHistory, clientNonceString, clientTimestamp); - } - } - - private static void checkNonceHistory(NonceHistory nonceHistory, final String clientNonceString, - final long ts) throws OAuthServiceException { - if (!nonceHistory.findMatchingNonces(clientNonceString, ts).isEmpty()) { - throw new OAuthServiceException("Duplicate nonce"); + if (!nonceHistory.addNonce(nonce)) { + throw new OAuthServiceException("Duplicate nonce"); + } } }
