You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/08/14 19:23:13 UTC
[cxf] 01/03: CXF-7810 - Allow to avoid setting the Cookie Expiry
time by setting the stateTimeToLive to 0
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 6100dde4aaff418058188f45300848c0e4fe46ed
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Aug 14 16:14:13 2018 +0100
CXF-7810 - Allow to avoid setting the Cookie Expiry time by setting the stateTimeToLive to 0
(cherry picked from commit f4f4075ddcadc7dddc9c887a94776e022b00677f)
---
.../AbstractRequestAssertionConsumerHandler.java | 14 +++++++++++---
.../rs/security/saml/sso/AbstractSSOSpHandler.java | 21 ++++++++++++---------
.../saml/sso/AbstractServiceProviderFilter.java | 3 ++-
.../rs/security/saml/sso/state/RequestState.java | 11 ++++++++++-
4 files changed, 35 insertions(+), 14 deletions(-)
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index 129caf8..c06b1bd 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -209,7 +209,8 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
if (relayState != null && relayState.getBytes().length > 0 && relayState.getBytes().length < 80) {
// First see if we have a valid RequestState
RequestState requestState = getStateProvider().removeRequestState(relayState);
- if (requestState != null && !isStateExpired(requestState.getCreatedAt(), 0)) {
+ if (requestState != null
+ && !isStateExpired(requestState.getCreatedAt(), requestState.getTimeToLive())) {
return requestState;
}
@@ -227,7 +228,8 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
getIssuerId(JAXRSUtils.getCurrentMessage()),
"/",
null,
- now.toEpochMilli());
+ now.toEpochMilli(),
+ getStateTimeToLive());
}
if (relayState == null) {
@@ -243,7 +245,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
reportError("MISSING_REQUEST_STATE");
throw ExceptionUtils.toBadRequestException(null, null);
}
- if (isStateExpired(requestState.getCreatedAt(), 0)) {
+ if (isStateExpired(requestState.getCreatedAt(), requestState.getTimeToLive())) {
reportError("EXPIRED_REQUEST_STATE");
throw ExceptionUtils.toBadRequestException(null, null);
}
@@ -426,4 +428,10 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
this.checkClientAddress = checkClientAddress;
}
+ @Override
+ protected boolean isStateExpired(long stateCreatedAt, long expiresAt) {
+ Instant currentTime = Instant.now();
+ return expiresAt > 0 && currentTime.isAfter(Instant.ofEpochMilli(stateCreatedAt + expiresAt));
+ }
+
}
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
index ab53076..b717bcb 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractSSOSpHandler.java
@@ -123,14 +123,17 @@ public class AbstractSSOSpHandler {
contextCookie += ";Domain=" + domain;
}
- // Keep the cookie across the browser restarts until it actually expires.
- // Note that the Expires property has been deprecated but apparently is
- // supported better than 'max-age' property by different browsers
- // (Firefox, IE, etc)
- Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
- String cookieExpires =
- HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
- contextCookie += ";Expires=" + cookieExpires;
+ if (stateTimeToLive > 0) {
+ // Keep the cookie across the browser restarts until it actually expires.
+ // Note that the Expires property has been deprecated but apparently is
+ // supported better than 'max-age' property by different browsers
+ // (Firefox, IE, etc)
+ Instant expires = Instant.ofEpochMilli(System.currentTimeMillis() + stateTimeToLive);
+ String cookieExpires =
+ HttpUtils.getHttpDateFormat().format(Date.from(expires.atZone(ZoneOffset.UTC).toInstant()));
+ contextCookie += ";Expires=" + cookieExpires;
+ }
+
//TODO: Consider adding an 'HttpOnly' attribute
return contextCookie;
@@ -138,7 +141,7 @@ public class AbstractSSOSpHandler {
protected boolean isStateExpired(long stateCreatedAt, long expiresAt) {
Instant currentTime = Instant.now();
- Instant expires = Instant.ofEpochMilli(stateCreatedAt + getStateTimeToLive());
+ Instant expires = Instant.ofEpochMilli(stateCreatedAt + getStateTimeToLive());
if (currentTime.isAfter(expires)) {
return true;
}
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
index 7928ee8..283a1bc 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
@@ -241,7 +241,8 @@ public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler
getIssuerId(m),
webAppContext,
getWebAppDomain(),
- System.currentTimeMillis());
+ System.currentTimeMillis(),
+ getStateTimeToLive());
String relayState = URLEncoder.encode(UUID.randomUUID().toString(), StandardCharsets.UTF_8.name());
getStateProvider().setRequestState(relayState, requestState);
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/RequestState.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/RequestState.java
index 2eaf71d..06f3d71 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/RequestState.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/RequestState.java
@@ -37,18 +37,21 @@ public class RequestState implements Serializable {
private String webAppContext;
private String webAppDomain;
private long createdAt;
+ private long timeToLive;
public RequestState() {
}
+ // CHECKSTYLE:OFF
public RequestState(String targetAddress,
String idpServiceAddress,
String samlRequestId,
String issuerId,
String webAppContext,
String webAppDomain,
- long createdAt) {
+ long createdAt,
+ long timeToLive) {
this.targetAddress = targetAddress;
this.idpServiceAddress = idpServiceAddress;
this.samlRequestId = samlRequestId;
@@ -56,7 +59,9 @@ public class RequestState implements Serializable {
this.webAppContext = webAppContext;
this.webAppDomain = webAppDomain;
this.createdAt = createdAt;
+ this.timeToLive = timeToLive;
}
+ // CHECKSTYLE:ON
public String getTargetAddress() {
return targetAddress;
@@ -78,6 +83,10 @@ public class RequestState implements Serializable {
return createdAt;
}
+ public long getTimeToLive() {
+ return timeToLive;
+ }
+
public String getWebAppContext() {
return webAppContext;
}