You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/12/21 11:02:55 UTC
[syncope] branch 2_0_X updated: [SYNCOPE-1420] Replacing expired
access tokens upon login
This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 2_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/2_0_X by this push:
new db5a002 [SYNCOPE-1420] Replacing expired access tokens upon login
db5a002 is described below
commit db5a0020103cf2aee42e360c59f3ca4b57549d4a
Author: Francesco Chicchiriccò <il...@apache.org>
AuthorDate: Fri Dec 21 11:55:16 2018 +0100
[SYNCOPE-1420] Replacing expired access tokens upon login
---
.../java/data/AccessTokenDataBinderImpl.java | 4 +--
.../org/apache/syncope/fit/core/JWTITCase.java | 38 ++++++++++++++++++++++
2 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
index 327b396..45492cf 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
@@ -137,8 +137,8 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
accessToken.setKey(UUID_GENERATOR.generate().toString());
accessToken = replace(subject, claims, authorities, accessToken);
- } else if (replace) {
- // AccessToken found, but replace requested: update existing
+ } else if (replace || accessToken.getExpiryTime() == null || accessToken.getExpiryTime().before(new Date())) {
+ // AccessToken found, but either replace was requested or it is expired: update existing
accessToken = replace(subject, claims, authorities, accessToken);
}
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
index 0720961..a1dbf38 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
@@ -20,6 +20,7 @@ package org.apache.syncope.fit.core;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -47,6 +48,7 @@ import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.syncope.client.lib.SyncopeClient;
+import org.apache.syncope.common.lib.to.AttrTO;
import org.apache.syncope.common.lib.to.UserTO;
import org.apache.syncope.common.rest.api.RESTHeaders;
import org.apache.syncope.common.rest.api.service.AccessTokenService;
@@ -551,4 +553,40 @@ public class JWTITCase extends AbstractITCase {
// expected
}
}
+
+ @Test
+ public void issueSYNCOPE1420() {
+ AttrTO orig = configurationService.get("jwt.lifetime.minutes");
+ try {
+ // set for immediate JWT expiration
+ configurationService.set(new AttrTO.Builder().schema("jwt.lifetime.minutes").value("0").build());
+
+ UserTO user = UserITCase.getUniqueSampleTO("syncope164@syncope.apache.org");
+ user = createUser(user).getEntity();
+ assertNotNull(user);
+
+ // login, get JWT with expiryTime
+ String jwt = clientFactory.create(user.getUsername(), "password123").getJWT();
+
+ JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(jwt);
+ assertTrue(consumer.verifySignatureWith(jwsSignatureVerifier));
+ Long expiryTime = consumer.getJwtClaims().getExpiryTime();
+ assertNotNull(expiryTime);
+
+ // wait for 1 sec, check that JWT is effectively expired
+ try {
+ Thread.sleep(1000L);
+ } catch (InterruptedException e) {
+ // ignore
+ }
+ assertTrue(expiryTime < System.currentTimeMillis());
+
+ // login again, get new JWT
+ // (even if ExpiredAccessTokenCleanup did not run yet, as it is scheduled every 5 minutes)
+ String newJWT = clientFactory.create(user.getUsername(), "password123").getJWT();
+ assertNotEquals(jwt, newJWT);
+ } finally {
+ configurationService.set(orig);
+ }
+ }
}