Repository: cxf Updated Branches: refs/heads/master b25170121 -> 6a688edc9
Fixing build Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6a688edc Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6a688edc Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6a688edc Branch: refs/heads/master Commit: 6a688edc96515f73e8133a6e2b012f37c739da77 Parents: b251701 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Oct 12 10:27:02 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Oct 12 10:27:02 2015 +0100 ---------------------------------------------------------------------- .../oidc/rp/AbstractTokenValidator.java | 40 ++++++++++++++------ 1 file changed, 28 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/6a688edc/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index f56651f..02a7dc2 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -34,8 +34,8 @@ import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer; public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer { private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";; private String issuerId; - private int issuedAtRange; - private int clockOffset; + private int ttl = 300; + private int futureTTL; private WebClient jwkSetClient; private boolean supportSelfIssuedProvider; private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); @@ -63,7 +63,17 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume throw new SecurityException("Invalid audience"); } - JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways); + // If we have no issued time then we need to have an expiry + boolean expiredRequired = claims.getIssuedAt() == null; + JwtUtils.validateJwtExpiry(claims, expiredRequired); + + JwtUtils.validateJwtNotBefore(claims, futureTTL, false); + + // If we have no expiry then we must have an issued at + boolean issuedAtRequired = claims.getExpiryTime() == null; + if (issuedAtRequired) { + JwtUtils.validateJwtTTL(claims, ttl, issuedAtRequired); + } } } @@ -75,10 +85,6 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume this.jwkSetClient = jwkSetClient; } - public void setIssuedAtRange(int issuedAtRange) { - this.issuedAtRange = issuedAtRange; - } - @Override protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) { JsonWebKey key = null; @@ -120,13 +126,23 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume return theJwsVerifier; } - public void setClockOffset(int clockOffset) { - this.clockOffset = clockOffset; - } - public void setSupportSelfIssuedProvider(boolean supportSelfIssuedProvider) { this.supportSelfIssuedProvider = supportSelfIssuedProvider; } - + public int getTtl() { + return ttl; + } + + public void setTtl(int ttl) { + this.ttl = ttl; + } + + public int getFutureTTL() { + return futureTTL; + } + + public void setFutureTTL(int futureTTL) { + this.futureTTL = futureTTL; + } }
