Repository: cxf Updated Branches: refs/heads/master f61876836 -> 6155656f8
[CXF-5684] - Change token storing logic to allow to store "expired" tokens Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/603d32aa Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/603d32aa Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/603d32aa Branch: refs/heads/master Commit: 603d32aa3897fc9d237a5a22eb6a25192f083b7d Parents: f618768 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Apr 14 14:44:42 2014 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Apr 14 14:44:42 2014 +0100 ---------------------------------------------------------------------- .../policy/interceptors/NegotiationUtils.java | 2 +- .../SecureConversationInInterceptor.java | 5 +- .../security/tokenstore/EHCacheTokenStore.java | 74 +++----------------- .../security/tokenstore/MemoryTokenStore.java | 48 ++++--------- .../cxf/ws/security/tokenstore/TokenStore.java | 6 -- .../ws/security/trust/STSTokenValidator.java | 2 +- .../ws/security/wss4j/WSS4JInInterceptor.java | 2 +- .../security/wss4j/WSS4JStaxInInterceptor.java | 2 +- .../cxf/ws/security/wss4j/WSS4JUtils.java | 2 +- .../tokenstore/EHCacheTokenStoreTest.java | 25 ------- .../tokenstore/MemoryTokenStoreTest.java | 25 ------- .../cxf/sts/cache/HazelCastTokenStore.java | 5 -- .../token/validator/UsernameTokenValidator.java | 2 +- 13 files changed, 34 insertions(+), 166 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java index 597d8df..71c7b35 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java @@ -251,7 +251,7 @@ final class NegotiationUtils { message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier()); SecurityToken token = getTokenStore(message).getToken(tok.getIdentifier()); - if (token == null) { + if (token == null || token.isExpired()) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); if (secret != null) { token = new SecurityToken(tok.getIdentifier()); http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java index bd3c19a..fa553d0 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java @@ -381,7 +381,10 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa st = WSS4JUtils.getTokenStore(message).getToken(id); } } - return st; + if (st != null && !st.isExpired()) { + return st; + } + return null; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java index 2a9e004..2fbaa26 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java @@ -21,11 +21,7 @@ package org.apache.cxf.ws.security.tokenstore; import java.io.Closeable; import java.net.URL; -import java.util.ArrayList; import java.util.Collection; -import java.util.Date; -import java.util.Iterator; -import java.util.List; import net.sf.ehcache.Cache; import net.sf.ehcache.CacheManager; @@ -83,33 +79,19 @@ public class EHCacheTokenStore implements TokenStore, Closeable, BusLifeCycleLis ttl = newTtl; } - /** - * Get the (default) TTL value in seconds - * @return the (default) TTL value in seconds - */ - public long getTTL() { - return ttl; - } - public void add(SecurityToken token) { if (token != null && !StringUtils.isEmpty(token.getId())) { - int parsedTTL = getTTL(token); - if (parsedTTL > 0) { - Element element = new Element(token.getId(), token, parsedTTL, parsedTTL); - element.resetAccessStatistics(); - cache.put(element); - } + Element element = new Element(token.getId(), token, getTTL(), getTTL()); + element.resetAccessStatistics(); + cache.put(element); } } public void add(String identifier, SecurityToken token) { if (token != null && !StringUtils.isEmpty(identifier)) { - int parsedTTL = getTTL(token); - if (parsedTTL > 0) { - Element element = new Element(identifier, token, parsedTTL, parsedTTL); - element.resetAccessStatistics(); - cache.put(element); - } + Element element = new Element(identifier, token, getTTL(), getTTL()); + element.resetAccessStatistics(); + cache.put(element); } } @@ -124,19 +106,6 @@ public class EHCacheTokenStore implements TokenStore, Closeable, BusLifeCycleLis return cache.getKeysWithExpiryCheck(); } - public Collection<SecurityToken> getExpiredTokens() { - List<SecurityToken> expiredTokens = new ArrayList<SecurityToken>(); - @SuppressWarnings("unchecked") - Iterator<String> ids = cache.getKeys().iterator(); - while (ids.hasNext()) { - Element element = cache.get(ids.next()); - if (cache.isExpired(element)) { - expiredTokens.add((SecurityToken)element.getObjectValue()); - } - } - return expiredTokens; - } - public SecurityToken getToken(String identifier) { Element element = cache.get(identifier); if (element != null && !cache.isExpired(element)) { @@ -145,32 +114,11 @@ public class EHCacheTokenStore implements TokenStore, Closeable, BusLifeCycleLis return null; } - private int getTTL(SecurityToken token) { - int parsedTTL = 0; - if (token.getExpires() != null) { - Date expires = token.getExpires(); - Date current = new Date(); - long expiryTime = (expires.getTime() - current.getTime()) / 1000L; - if (expiryTime < 0) { - return 0; - } - - parsedTTL = (int)expiryTime; - if (expiryTime != (long)parsedTTL || parsedTTL > MAX_TTL) { - // Default to configured value - parsedTTL = (int)ttl; - if (ttl != (long)parsedTTL) { - // Fall back to 60 minutes if the default TTL is set incorrectly - parsedTTL = 3600; - } - } - } else { - // Default to configured value - parsedTTL = (int)ttl; - if (ttl != (long)parsedTTL) { - // Fall back to 60 minutes if the default TTL is set incorrectly - parsedTTL = 3600; - } + private int getTTL() { + int parsedTTL = (int)ttl; + if (ttl != (long)parsedTTL) { + // Fall back to 60 minutes if the default TTL is set incorrectly + parsedTTL = 3600; } return parsedTTL; } http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java index 144510c..ed719a4 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java @@ -19,10 +19,8 @@ package org.apache.cxf.ws.security.tokenstore; -import java.util.ArrayList; import java.util.Collection; import java.util.Date; -import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; @@ -36,6 +34,7 @@ public class MemoryTokenStore implements TokenStore { public static final long MAX_TTL = DEFAULT_TTL * 12L; private Map<String, CacheEntry> tokens = new ConcurrentHashMap<String, CacheEntry>(); + private long ttl = DEFAULT_TTL; public void add(SecurityToken token) { if (token != null && !StringUtils.isEmpty(token.getId())) { @@ -55,6 +54,14 @@ public class MemoryTokenStore implements TokenStore { } } + /** + * Set a new (default) TTL value in seconds + * @param newTtl a new (default) TTL value in seconds + */ + public void setTTL(long newTtl) { + ttl = newTtl; + } + public void remove(String identifier) { if (!StringUtils.isEmpty(identifier) && tokens.containsKey(identifier)) { tokens.remove(identifier); @@ -66,20 +73,6 @@ public class MemoryTokenStore implements TokenStore { return tokens.keySet(); } - public Collection<SecurityToken> getExpiredTokens() { - List<SecurityToken> expiredTokens = new ArrayList<SecurityToken>(); - Date current = new Date(); - synchronized (tokens) { - for (String id : tokens.keySet()) { - CacheEntry cacheEntry = tokens.get(id); - if (cacheEntry.getExpiry().before(current)) { - expiredTokens.add(cacheEntry.getSecurityToken()); - } - } - } - return expiredTokens; - } - public SecurityToken getToken(String id) { processTokenExpiry(); @@ -103,25 +96,10 @@ public class MemoryTokenStore implements TokenStore { } private CacheEntry createCacheEntry(SecurityToken token) { - CacheEntry cacheEntry = null; - if (token.getExpires() == null) { - Date expires = new Date(); - long currentTime = expires.getTime(); - expires.setTime(currentTime + (DEFAULT_TTL * 1000L)); - cacheEntry = new CacheEntry(token, expires); - } else { - Date expires = token.getExpires(); - Date current = new Date(); - long expiryTime = expires.getTime() - current.getTime(); - if (expiryTime < 0) { - return null; - } - if (expiryTime > (MAX_TTL * 1000L)) { - expires.setTime(current.getTime() + (DEFAULT_TTL * 1000L)); - } - cacheEntry = new CacheEntry(token, expires); - } - return cacheEntry; + Date expires = new Date(); + long currentTime = expires.getTime(); + expires.setTime(currentTime + (ttl * 1000L)); + return new CacheEntry(token, expires); } private static class CacheEntry { http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java index 1ba97c8..4e7e28b 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java @@ -53,12 +53,6 @@ public interface TokenStore { Collection<String> getTokenIdentifiers(); /** - * Return the list of expired tokens. - * @return An array of expired <code>Tokens</code> - */ - Collection<SecurityToken> getExpiredTokens(); - - /** * Returns the <code>Token</code> of the given identifier * @param identifier * @return The requested <code>Token</code> identified by the given identifier http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java index bf0d328..88ae9d6 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java @@ -91,7 +91,7 @@ public class STSTokenValidator implements Validator { TokenStore tokenStore = getTokenStore(message); if (tokenStore != null && hash != 0) { SecurityToken transformedToken = getTransformedToken(tokenStore, hash); - if (transformedToken != null) { + if (transformedToken != null && !transformedToken.isExpired()) { SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken()); credential.setTransformedToken(assertion); return credential; http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index c9eac0e..1d1b2ac 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -642,7 +642,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { String id = pc.getIdentifier(); SecurityToken tok = store.getToken(id); - if (tok != null) { + if (tok != null && !tok.isExpired()) { pc.setKey(tok.getSecret()); pc.setCustomToken(tok.getToken()); return; http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java index b2e540f..631f1e1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java @@ -413,7 +413,7 @@ public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor { String id = pc.getIdentifier(); SecurityToken tok = store.getToken(id); - if (tok != null) { + if (tok != null && !tok.isExpired()) { pc.setKey(tok.getSecret()); pc.setKey(tok.getKey()); pc.setCustomToken(tok.getToken()); http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java index 62afffd..add1bb6 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java @@ -176,7 +176,7 @@ public final class WSS4JUtils { return null; } SecurityToken existingToken = getTokenStore(message).getToken(securityToken.getId()); - if (existingToken == null) { + if (existingToken == null || existingToken.isExpired()) { Date created = new Date(); Date expires = new Date(); expires.setTime(created.getTime() + 300000); http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java index 52f4bc0..ced0d98 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStoreTest.java @@ -18,8 +18,6 @@ */ package org.apache.cxf.ws.security.tokenstore; -import java.util.Date; - import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.message.ExchangeImpl; import org.apache.cxf.message.Message; @@ -61,29 +59,6 @@ public class EHCacheTokenStoreTest extends org.junit.Assert { assertNull(store.getToken(newKey)); } - // tests TokenStore apis for storing in the cache with various expiration times - @org.junit.Test - public void testTokenAddExpiration() throws Exception { - SecurityToken expiredToken = new SecurityToken("expiredToken"); - Date currentDate = new Date(); - long currentTime = currentDate.getTime(); - Date expiry = new Date(); - expiry.setTime(currentTime - 5000L); - expiredToken.setExpires(expiry); - store.add(expiredToken); - assertTrue(store.getTokenIdentifiers().isEmpty()); - - SecurityToken farFutureToken = new SecurityToken("farFuture"); - expiry = new Date(); - expiry.setTime(Long.MAX_VALUE); - farFutureToken.setExpires(expiry); - store.add(farFutureToken); - - assertTrue(store.getTokenIdentifiers().size() == 1); - store.remove(farFutureToken.getId()); - assertTrue(store.getTokenIdentifiers().isEmpty()); - } - // tests TokenStore apis for removing from the cache. @org.junit.Test public void testTokenRemove() { http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java index a124c02..40260d1 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStoreTest.java @@ -18,8 +18,6 @@ */ package org.apache.cxf.ws.security.tokenstore; -import java.util.Date; - import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageImpl; import org.apache.cxf.ws.security.SecurityConstants; @@ -54,29 +52,6 @@ public class MemoryTokenStoreTest extends org.junit.Assert { assertNull(store.getToken(newKey)); } - // tests TokenStore apis for storing in the cache with various expiration times - @org.junit.Test - public void testTokenAddExpiration() throws Exception { - SecurityToken expiredToken = new SecurityToken("expiredToken"); - Date currentDate = new Date(); - long currentTime = currentDate.getTime(); - Date expiry = new Date(); - expiry.setTime(currentTime - 5000L); - expiredToken.setExpires(expiry); - store.add(expiredToken); - assertTrue(store.getTokenIdentifiers().isEmpty()); - - SecurityToken farFutureToken = new SecurityToken("farFuture"); - expiry = new Date(); - expiry.setTime(Long.MAX_VALUE); - farFutureToken.setExpires(expiry); - store.add(farFutureToken); - - assertTrue(store.getTokenIdentifiers().size() == 1); - store.remove(farFutureToken.getId()); - assertTrue(store.getTokenIdentifiers().isEmpty()); - } - // tests TokenStore apis for removing from the cache. @org.junit.Test public void testTokenRemove() { http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java index 7ff38d2..0dc3354 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/cache/HazelCastTokenStore.java @@ -112,11 +112,6 @@ public class HazelCastTokenStore implements TokenStore { return CastUtils.cast((Collection<?>)getCacheMap().keySet()); } - public Collection<SecurityToken> getExpiredTokens() { - // TODO Auto-generated method stub - return null; - } - public SecurityToken getToken(String identifier) { return (SecurityToken)getCacheMap().get(identifier); } http://git-wip-us.apache.org/repos/asf/cxf/blob/603d32aa/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java index e2d902e..a8a175a 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/UsernameTokenValidator.java @@ -183,7 +183,7 @@ public class UsernameTokenValidator implements TokenValidator { SecurityToken secToken = null; if (tokenParameters.getTokenStore() != null) { secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash)); - if (secToken != null && secToken.getTokenHash() != hash) { + if (secToken != null && (secToken.getTokenHash() != hash || secToken.isExpired())) { secToken = null; } }
