Guanping Zhang created CXF-9221:
-----------------------------------

             Summary: JCache providers use inverted isExpired() logic causing 
expired tokens/codes to never be evicted
                 Key: CXF-9221
                 URL: https://issues.apache.org/jira/browse/CXF-9221
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS, JAX-RS Security
    Affects Versions: 4.2.2
         Environment: Apache CXF 3.5.7, Java 11+, JCache (JSR-107)
            Reporter: Guanping Zhang


In the JCache-based OAuth data providers ({{{}JCacheCodeDataProvider{}}} and 
{{{}JCacheOAuthDataProvider{}}}), the overridden {{isExpired()}} methods 
contain a logic inversion that prevents expired grants and tokens from ever 
being reported as expired by the cache eviction path.
 
The current implementation computes: {{return System.currentTimeMillis() < 
(grant.getIssuedAt() + grant.getExpiresIn());}}
There are two issues here: # Unit Mismatch: {{System.currentTimeMillis()}} 
returns milliseconds, while {{getIssuedAt()}} and {{getExpiresIn()}} are in 
seconds. The millisecond value (~10¹²) will almost always be greater than the 
seconds sum (~10⁹), making the comparison inherently flawed.
 # Polarity Inversion: The logical polarity is inverted compared to the correct 
implementation in {{{}OAuthUtils.isExpired(){}}}.

As a result, {{isExpired()}} always returns {{false}} for the JCache eviction 
checks. While the actual security boundaries (token introspection, refresh 
validation) correctly use {{{}OAuthUtils.isExpired(){}}}, this defect causes 
expired entries to accumulate indefinitely in the JCache, leading to unbounded 
cache growth and potential memory pressure over time.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to