You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/10/05 16:08:52 UTC
[cxf] branch 3.2.x-fixes updated (625ede2 -> 8633213)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.
from 625ede2 Recording .gitmergeinfo Changes
new d3e1c33 Fix issue if lifetime only specify expired without created
new 8633213 Fix issue if lifetime only specify expired without created
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../token/provider/DefaultConditionsProvider.java | 34 +++++++++------
.../token/provider/SAMLProviderLifetimeTest.java | 50 +++++++++++++++++++---
2 files changed, 64 insertions(+), 20 deletions(-)
[cxf] 01/02: Fix issue if lifetime only specify expired without
created
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit d3e1c33b8f45cf2abf3bfbf4dafd45b2b4b4c119
Author: Thomas Papke <th...@icw.de>
AuthorDate: Fri Oct 5 09:15:17 2018 +0200
Fix issue if lifetime only specify expired without created
(cherry picked from commit cc82c76f4ade7af271ebb20679ac1ae2f5b58ee0)
---
.../token/provider/DefaultConditionsProvider.java | 36 +++++++++------
.../token/provider/SAMLProviderLifetimeTest.java | 52 ++++++++++++++++++----
2 files changed, 65 insertions(+), 23 deletions(-)
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
index 135f53f..a9252b9 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
@@ -78,6 +78,7 @@ public class DefaultConditionsProvider implements ConditionsProvider {
* doesn't specify a lifetime element
* @return the lifetime in seconds
*/
+ @Override
public long getLifetime() {
return lifetime;
}
@@ -134,25 +135,17 @@ public class DefaultConditionsProvider implements ConditionsProvider {
/**
* Get a ConditionsBean object.
*/
+ @Override
public ConditionsBean getConditions(TokenProviderParameters providerParameters) {
ConditionsBean conditions = new ConditionsBean();
Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
if (lifetime > 0) {
- if (acceptClientLifetime && tokenLifetime != null
- && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) {
- Instant creationTime = null;
- Instant expirationTime = null;
- try {
- creationTime = ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
- expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
- } catch (DateTimeParseException ex) {
- LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
- throw new STSException(
- "Error in parsing Timestamp Created or Expiration Strings",
- STSException.INVALID_TIME
- );
- }
+ if (acceptClientLifetime && tokenLifetime != null &&
+ (tokenLifetime.getCreated() != null || tokenLifetime.getExpires() != null)) {
+ Instant creationTime = parsedInstantOrDefault(tokenLifetime.getCreated(), Instant.now());
+ Instant expirationTime = parsedInstantOrDefault(tokenLifetime.getExpires(),
+ creationTime.plusSeconds(lifetime));
// Check to see if the created time is in the future
Instant validCreation = Instant.now();
@@ -198,6 +191,21 @@ public class DefaultConditionsProvider implements ConditionsProvider {
return conditions;
}
+ private Instant parsedInstantOrDefault(String dateTime, Instant defaultInstant) {
+ if (dateTime == null || dateTime.isEmpty()) {
+ return defaultInstant;
+ }
+ try {
+ return ZonedDateTime.parse(dateTime).toInstant();
+ } catch (DateTimeParseException ex) {
+ LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
+ throw new STSException(
+ "Error in parsing Timestamp Created or Expiration Strings",
+ STSException.INVALID_TIME
+ );
+ }
+ }
+
/**
* Create a list of AudienceRestrictions to be added to the Conditions Element of the
* issued Assertion. The default behaviour is to add a single Audience URI per
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
index 41a514a..d7c3b33 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
@@ -23,8 +23,6 @@ import java.time.Instant;
import java.time.ZoneOffset;
import java.util.Properties;
-import org.w3c.dom.Element;
-
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.STSConstants;
@@ -42,6 +40,7 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.common.util.DateUtil;
+import org.w3c.dom.Element;
/**
@@ -86,6 +85,40 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
assertTrue(tokenString.contains(providerResponse.getTokenId()));
}
+ /**
+ *
+ * As specified in ws-trust
+ * "If this attribute isn't specified, then the current time is used as an initial period."
+ * if creation time is not specified, we use current time instead.
+ *
+ */
+ @org.junit.Test
+ public void saml2LifetimeWithoutCreated() throws WSSecurityException {
+ int requestedLifetime = 60;
+ SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+ DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
+ conditionsProvider.setAcceptClientLifetime(true);
+ samlTokenProvider.setConditionsProvider(conditionsProvider);
+
+ TokenProviderParameters providerParameters =
+ createProviderParameters(
+ WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE
+ );
+
+ // Set expected lifetime to 1 minute
+ Lifetime lifetime = new Lifetime();
+ Instant expirationTime = Instant.now().plusSeconds(requestedLifetime);
+
+ lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+ providerParameters.getTokenRequirements().setLifetime(lifetime);
+
+ assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
+ TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+ assertTrue(providerResponse != null);
+ assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+ assertEquals(providerResponse.getExpires(), expirationTime);
+ }
+
/**
@@ -223,14 +256,14 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(maxLifetime, duration);
Element token = (Element)providerResponse.getToken();
@@ -264,14 +297,14 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(50, duration);
Element token = (Element)providerResponse.getToken();
@@ -304,7 +337,7 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
@@ -336,6 +369,7 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
+ conditionsProvider.setFutureTimeToLive(180L);
samlTokenProvider.setConditionsProvider(conditionsProvider);
TokenProviderParameters providerParameters =
@@ -348,7 +382,7 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
@@ -356,7 +390,7 @@ public class SAMLProviderLifetimeTest extends org.junit.Assert {
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(conditionsProvider.getLifetime(), duration);
Element token = (Element)providerResponse.getToken();
[cxf] 02/02: Fix issue if lifetime only specify expired without
created
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 8633213dff462509be1507475914e457af0800f5
Author: Thomas Papke <th...@icw.de>
AuthorDate: Fri Oct 5 11:21:03 2018 +0200
Fix issue if lifetime only specify expired without created
* Fix cxf checkstyle issues
(cherry picked from commit 4d36d982ffe8894f66d16bfc9199792f90d6e02a)
---
.../org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java | 4 ++--
.../org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
index a9252b9..1bf9be4 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
@@ -141,8 +141,8 @@ public class DefaultConditionsProvider implements ConditionsProvider {
Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
if (lifetime > 0) {
- if (acceptClientLifetime && tokenLifetime != null &&
- (tokenLifetime.getCreated() != null || tokenLifetime.getExpires() != null)) {
+ if (acceptClientLifetime && tokenLifetime != null
+ && (tokenLifetime.getCreated() != null || tokenLifetime.getExpires() != null)) {
Instant creationTime = parsedInstantOrDefault(tokenLifetime.getCreated(), Instant.now());
Instant expirationTime = parsedInstantOrDefault(tokenLifetime.getExpires(),
creationTime.plusSeconds(lifetime));
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
index d7c3b33..183bbfa 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
@@ -23,6 +23,8 @@ import java.time.Instant;
import java.time.ZoneOffset;
import java.util.Properties;
+import org.w3c.dom.Element;
+
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.STSConstants;
@@ -40,7 +42,7 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.common.util.DateUtil;
-import org.w3c.dom.Element;
+
/**