Repository: cxf Updated Branches: refs/heads/master 5015c0c1c -> 0da8b3a16
[CXF-6165] The clock can be not synchronized Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0da8b3a1 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0da8b3a1 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0da8b3a1 Branch: refs/heads/master Commit: 0da8b3a165f1edfbb8648955de9759cee5d12b14 Parents: 5015c0c Author: Sergey Beryozkin <[email protected]> Authored: Tue Jun 16 17:05:27 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Jun 16 17:05:27 2015 +0100 ---------------------------------------------------------------------- .../src/main/webapp/WEB-INF/applicationContext.xml | 1 + .../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java | 10 +++++++--- .../cxf/rs/security/oidc/rp/AbstractTokenValidator.java | 7 ++++++- 3 files changed, 14 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/0da8b3a1/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml ---------------------------------------------------------------------- diff --git a/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml b/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml index cfc4aa0..fc154bd 100644 --- a/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml +++ b/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml @@ -92,6 +92,7 @@ <property name="jwkSetClient" ref="jwkSetClient"/> <property name="issuerId" value="accounts.google.com"/> <property name="userInfoServiceClient" ref="userInfoServiceClient"/> + <property name="clockOffset" value="10"/> </bean> <bean id="consumer" class="org.apache.cxf.rs.security.oauth2.client.Consumer"> http://git-wip-us.apache.org/repos/asf/cxf/blob/0da8b3a1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java index d78fc41..302d9c0 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java @@ -36,7 +36,8 @@ public final class JwtUtils { return new JwtTokenReaderWriter().fromJsonClaims(json); } - public static void validateJwtTimeClaims(JwtClaims claims, int issuedAtRange, boolean claimsRequired) { + public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset, + int issuedAtRange, boolean claimsRequired) { Long currentTimeInSecs = System.currentTimeMillis() / 1000; Long expiryTimeInSecs = claims.getExpiryTime(); if (expiryTimeInSecs == null && claimsRequired @@ -44,15 +45,18 @@ public final class JwtUtils { throw new SecurityException("The token expired"); } Long issuedAtInSecs = claims.getIssuedAt(); + if (clockOffset <= 0) { + clockOffset = 0; + } if (issuedAtInSecs == null && claimsRequired - || issuedAtInSecs != null && (issuedAtInSecs > currentTimeInSecs || issuedAtRange > 0 + || issuedAtInSecs != null && (issuedAtInSecs - clockOffset > currentTimeInSecs || issuedAtRange > 0 && issuedAtInSecs < currentTimeInSecs - issuedAtRange)) { throw new SecurityException("Invalid issuedAt"); } } public static void validateJwtTimeClaims(JwtClaims claims) { - validateJwtTimeClaims(claims, 0, false); + validateJwtTimeClaims(claims, 0, 0, false); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/0da8b3a1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index f468d33..74c0c00 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -38,6 +38,7 @@ public abstract class AbstractTokenValidator { private JwsSignatureVerifier jwsVerifier; private String issuerId; private int issuedAtRange; + private int clockOffset; private WebClient jwkSetClient; private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); @@ -79,7 +80,7 @@ public abstract class AbstractTokenValidator { if (issuer == null && validateClaimsAlways || issuer != null && !issuer.equals(issuerId)) { throw new SecurityException("Invalid provider"); } - JwtUtils.validateJwtTimeClaims(claims, issuedAtRange, validateClaimsAlways); + JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways); } @@ -146,4 +147,8 @@ public abstract class AbstractTokenValidator { } return theJwsVerifier; } + + public void setClockOffset(int clockOffset) { + this.clockOffset = clockOffset; + } }
