Repository: cxf Updated Branches: refs/heads/3.1.x-fixes d1f0aff92 -> 5973300ca
CXF-7111 - Make the security token lifetime configurable Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/304ee046 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/304ee046 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/304ee046 Branch: refs/heads/3.1.x-fixes Commit: 304ee04631e07040519f32ece1e44a79e784dff8 Parents: d1f0aff Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Oct 26 15:10:49 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Oct 26 15:42:12 2016 +0100 ---------------------------------------------------------------------- .../apache/cxf/ws/security/SecurityConstants.java | 7 ++++++- .../SecureConversationInInterceptor.java | 3 ++- .../SpnegoContextTokenInInterceptor.java | 3 ++- .../apache/cxf/ws/security/wss4j/WSS4JUtils.java | 17 ++++++++++++++++- .../policyhandlers/AbstractBindingBuilder.java | 2 +- .../policyhandlers/AsymmetricBindingHandler.java | 3 ++- .../StaxSymmetricBindingHandler.java | 2 +- .../policyhandlers/SymmetricBindingHandler.java | 9 +++++---- .../policyhandlers/TransportBindingHandler.java | 3 ++- 9 files changed, 37 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index e13dff3..649532f 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -290,6 +290,11 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security */ public static final String SECURITY_CONTEXT_CREATOR = "ws-security.security.context.creator"; + /** + * The security token lifetime value (in milliseconds). The default is "300000" (5 minutes). + */ + public static final String SECURITY_TOKEN_LIFETIME = "ws-security.security.token.lifetime"; + // // Validator implementations for validating received security tokens // @@ -411,7 +416,7 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION, POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, - SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR + SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME })); for (String commonProperty : COMMON_PROPERTIES) { s.add(commonProperty); http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java index 5441989..4125bbd 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java @@ -58,6 +58,7 @@ import org.apache.cxf.ws.security.trust.STSUtils; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor; +import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.neethi.All; import org.apache.neethi.Assertion; import org.apache.neethi.ExactlyOne; @@ -330,7 +331,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa byte clientEntropy[] = null; int keySize = 256; - long ttl = 300000L; + long ttl = WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage()); String tokenType = null; Element el = DOMUtils.getFirstElement(requestEl); while (el != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java index 7219686..0100332 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java @@ -50,6 +50,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.trust.STSUtils; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor; +import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.neethi.All; import org.apache.neethi.Assertion; import org.apache.neethi.ExactlyOne; @@ -195,7 +196,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa // Lifetime Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000L); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage())); SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires); token.setToken(sct.getElement()); http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java index 4869b10..03e2101 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java @@ -72,6 +72,21 @@ public final class WSS4JUtils { private WSS4JUtils() { // complete } + + /** + * Get the security token lifetime value (in milliseconds). The default is "300000" (5 minutes). + * @return the security token lifetime value in milliseconds + */ + public static long getSecurityTokenLifetime(Message message) { + if (message != null) { + String tokenLifetime = + (String)message.getContextualProperty(SecurityConstants.SECURITY_TOKEN_LIFETIME); + if (tokenLifetime != null) { + return Long.parseLong(tokenLifetime); + } + } + return 300000L; + } /** * Get a ReplayCache instance. It first checks to see whether caching has been explicitly @@ -148,7 +163,7 @@ public final class WSS4JUtils { if (existingToken == null || existingToken.isExpired()) { Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + getSecurityTokenLifetime(message)); SecurityToken cachedTok = new SecurityToken(securityToken.getId(), created, expires); cachedTok.setSHA1(securityToken.getSha1Identifier()); http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 6247016..1e0d299 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -1896,7 +1896,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken secToken = new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires); http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index 791a36e..21fbd30 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -45,6 +45,7 @@ import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler; import org.apache.cxf.ws.security.wss4j.StaxSerializer; +import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.wss4j.common.WSEncryptionPart; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.derivedKey.ConversationConstants; @@ -811,7 +812,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { || actInt.intValue() == WSConstants.ST_UNSIGNED) { Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken tempTok = new SecurityToken(id, created, expires); tempTok.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET)); tempTok.setX509Certificate( http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java index a23ad09..9ad0ee9 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java @@ -602,7 +602,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler { Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000L); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken tempTok = new SecurityToken(IDGenerator.generateID(null), created, expires); http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index afda195..54a7e14 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -43,6 +43,7 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler; import org.apache.cxf.ws.security.wss4j.StaxSerializer; +import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.wss4j.common.WSEncryptionPart; import org.apache.wss4j.common.bsp.BSPEnforcer; import org.apache.wss4j.common.crypto.Crypto; @@ -914,7 +915,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken tempTok = new SecurityToken( id, encrKey.getEncryptedKeyElement(), @@ -959,7 +960,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires); tempTok.setSecret(secret); @@ -975,7 +976,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { // Store it in the cache Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); String encryptedKeyID = (String)encryptedKeyResult.get(WSSecurityEngineResult.TAG_ID); SecurityToken tempTok = new SecurityToken(encryptedKeyID, created, expires); @@ -1007,7 +1008,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken tempTok = new SecurityToken(utID, created, expires); byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); http://git-wip-us.apache.org/repos/asf/cxf/blob/304ee046/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java index 15b2162..4e092d7 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java @@ -38,6 +38,7 @@ import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.wss4j.common.WSEncryptionPart; import org.apache.wss4j.common.bsp.BSPEnforcer; import org.apache.wss4j.common.crypto.Crypto; @@ -329,7 +330,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { Date created = new Date(); Date expires = new Date(); - expires.setTime(created.getTime() + 300000); + expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message)); SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires); tempTok.setSecret(secret);
