Repository: cxf Updated Branches: refs/heads/master 679835fe2 -> 27824e144
Checking null and negative OAuth2 lifetime property Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/27824e14 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/27824e14 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/27824e14 Branch: refs/heads/master Commit: 27824e14407cb2a4e1ef1a1c02a77a24ebe4b2bf Parents: 679835f Author: Sergey Beryozkin <[email protected]> Authored: Tue Apr 19 10:45:18 2016 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Apr 19 10:45:18 2016 +0100 ---------------------------------------------------------------------- .../apache/cxf/rs/security/oauth2/utils/OAuthUtils.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/27824e14/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java index a7f9dc6..c1a1474 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java @@ -187,8 +187,14 @@ public final class OAuthUtils { } public static boolean isExpired(Long issuedAt, Long lifetime) { - return lifetime != 0L - && issuedAt + lifetime < System.currentTimeMillis() / 1000L; + // At some point -1 was used to indicate an unlimited lifetime + // with 0 being introduced instead at a later stage. + // In theory there still could be a code around initializing the tokens with -1. + // Treating -1 and 0 the same way is reasonable and it also makes it easier to + // deal with the token introspection responses with no issuedAt time reported + return lifetime == null + || lifetime < -1 + || lifetime > 0L && issuedAt + lifetime < System.currentTimeMillis() / 1000L; } public static boolean validateAudience(String providedAudience,
