Repository: cxf Updated Branches: refs/heads/3.0.x-fixes f30d69ed5 -> 8c8325beb
[CXF-6165] The clock can be not synchronized Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8c8325be Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8c8325be Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8c8325be Branch: refs/heads/3.0.x-fixes Commit: 8c8325bebd59dfebcb49b9ffb8b3e9a200ccc3f8 Parents: f30d69e Author: Sergey Beryozkin <[email protected]> Authored: Tue Jun 16 17:05:27 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Jun 16 17:06:50 2015 +0100 ---------------------------------------------------------------------- .../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java | 10 +++++++--- .../cxf/rs/security/oidc/rp/AbstractTokenValidator.java | 7 ++++++- 2 files changed, 13 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8325be/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java index d78fc41..302d9c0 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java @@ -36,7 +36,8 @@ public final class JwtUtils { return new JwtTokenReaderWriter().fromJsonClaims(json); } - public static void validateJwtTimeClaims(JwtClaims claims, int issuedAtRange, boolean claimsRequired) { + public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset, + int issuedAtRange, boolean claimsRequired) { Long currentTimeInSecs = System.currentTimeMillis() / 1000; Long expiryTimeInSecs = claims.getExpiryTime(); if (expiryTimeInSecs == null && claimsRequired @@ -44,15 +45,18 @@ public final class JwtUtils { throw new SecurityException("The token expired"); } Long issuedAtInSecs = claims.getIssuedAt(); + if (clockOffset <= 0) { + clockOffset = 0; + } if (issuedAtInSecs == null && claimsRequired - || issuedAtInSecs != null && (issuedAtInSecs > currentTimeInSecs || issuedAtRange > 0 + || issuedAtInSecs != null && (issuedAtInSecs - clockOffset > currentTimeInSecs || issuedAtRange > 0 && issuedAtInSecs < currentTimeInSecs - issuedAtRange)) { throw new SecurityException("Invalid issuedAt"); } } public static void validateJwtTimeClaims(JwtClaims claims) { - validateJwtTimeClaims(claims, 0, false); + validateJwtTimeClaims(claims, 0, 0, false); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8325be/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index f468d33..74c0c00 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -38,6 +38,7 @@ public abstract class AbstractTokenValidator { private JwsSignatureVerifier jwsVerifier; private String issuerId; private int issuedAtRange; + private int clockOffset; private WebClient jwkSetClient; private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); @@ -79,7 +80,7 @@ public abstract class AbstractTokenValidator { if (issuer == null && validateClaimsAlways || issuer != null && !issuer.equals(issuerId)) { throw new SecurityException("Invalid provider"); } - JwtUtils.validateJwtTimeClaims(claims, issuedAtRange, validateClaimsAlways); + JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways); } @@ -146,4 +147,8 @@ public abstract class AbstractTokenValidator { } return theJwsVerifier; } + + public void setClockOffset(int clockOffset) { + this.clockOffset = clockOffset; + } }
