Author: coheigea
Date: Mon Mar 12 14:32:31 2012
New Revision: 1299687
URL: http://svn.apache.org/viewvc?rev=1299687&view=rev
Log:
Setting a maximum TTL for the MemoryReplayCache
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/cache/MemoryReplayCache.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/cache/MemoryReplayCache.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/cache/MemoryReplayCache.java?rev=1299687&r1=1299686&r2=1299687&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/cache/MemoryReplayCache.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/cache/MemoryReplayCache.java
Mon Mar 12 14:32:31 2012
@@ -25,11 +25,13 @@ import java.util.HashSet;
import java.util.Set;
/**
- * A simple in-memory HashSet based cache to prevent against replay attacks.
+ * A simple in-memory HashSet based cache to prevent against replay attacks.
The default TTL is 5 minutes
+ * and the max TTL is 60 minutes.
*/
public class MemoryReplayCache implements ReplayCache {
public static final long DEFAULT_TTL = 60L * 5L;
+ public static final long MAX_TTL = DEFAULT_TTL * 12L;
private Set<ReplayCacheIdentifier> cache =
Collections.synchronizedSet(new HashSet<ReplayCacheIdentifier>());
@@ -53,9 +55,14 @@ public class MemoryReplayCache implement
ReplayCacheIdentifier cacheIdentifier = new ReplayCacheIdentifier();
cacheIdentifier.setIdentifier(identifier);
+ long ttl = timeToLive;
+ if (ttl < 0 || ttl > MAX_TTL) {
+ ttl = DEFAULT_TTL;
+ }
+
Date expires = new Date();
long currentTime = expires.getTime();
- expires.setTime(currentTime + (timeToLive * 1000L));
+ expires.setTime(currentTime + (ttl * 1000L));
cacheIdentifier.setExpiry(expires);
cache.add(cacheIdentifier);
