You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/10/26 14:40:28 UTC
cxf git commit: CXF-7111 - Make the security token lifetime
configurable
Repository: cxf
Updated Branches:
refs/heads/master c05e56d4a -> 85901843c
CXF-7111 - Make the security token lifetime configurable
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/85901843
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/85901843
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/85901843
Branch: refs/heads/master
Commit: 85901843c09e2c331f3136e4243f6149cfb11a4d
Parents: c05e56d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 26 15:10:49 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Oct 26 15:10:49 2016 +0100
----------------------------------------------------------------------
.../apache/cxf/ws/security/SecurityConstants.java | 7 ++++++-
.../SecureConversationInInterceptor.java | 3 ++-
.../SpnegoContextTokenInInterceptor.java | 3 ++-
.../apache/cxf/ws/security/wss4j/WSS4JUtils.java | 17 ++++++++++++++++-
.../policyhandlers/AbstractBindingBuilder.java | 2 +-
.../policyhandlers/AsymmetricBindingHandler.java | 3 ++-
.../StaxSymmetricBindingHandler.java | 2 +-
.../policyhandlers/SymmetricBindingHandler.java | 9 +++++----
.../policyhandlers/TransportBindingHandler.java | 3 ++-
9 files changed, 37 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index e13dff3..649532f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -290,6 +290,11 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
*/
public static final String SECURITY_CONTEXT_CREATOR = "ws-security.security.context.creator";
+ /**
+ * The security token lifetime value (in milliseconds). The default is "300000" (5 minutes).
+ */
+ public static final String SECURITY_TOKEN_LIFETIME = "ws-security.security.token.lifetime";
+
//
// Validator implementations for validating received security tokens
//
@@ -411,7 +416,7 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION,
KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION,
POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM,
- SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR
+ SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME
}));
for (String commonProperty : COMMON_PROPERTIES) {
s.add(commonProperty);
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index e6bdab0..7b5a1a3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -59,6 +59,7 @@ import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.neethi.All;
import org.apache.neethi.Assertion;
import org.apache.neethi.ExactlyOne;
@@ -330,7 +331,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
byte clientEntropy[] = null;
int keySize = 256;
- long ttl = 300000L;
+ long ttl = WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage());
String tokenType = null;
Element el = DOMUtils.getFirstElement(requestEl);
while (el != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 4c2f371..30d5323 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -51,6 +51,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.neethi.All;
import org.apache.neethi.Assertion;
import org.apache.neethi.ExactlyOne;
@@ -195,7 +196,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// Lifetime
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000L);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(exchange.getOutMessage()));
SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
token.setToken(sct.getElement());
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
index 4869b10..03e2101 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
@@ -72,6 +72,21 @@ public final class WSS4JUtils {
private WSS4JUtils() {
// complete
}
+
+ /**
+ * Get the security token lifetime value (in milliseconds). The default is "300000" (5 minutes).
+ * @return the security token lifetime value in milliseconds
+ */
+ public static long getSecurityTokenLifetime(Message message) {
+ if (message != null) {
+ String tokenLifetime =
+ (String)message.getContextualProperty(SecurityConstants.SECURITY_TOKEN_LIFETIME);
+ if (tokenLifetime != null) {
+ return Long.parseLong(tokenLifetime);
+ }
+ }
+ return 300000L;
+ }
/**
* Get a ReplayCache instance. It first checks to see whether caching has been explicitly
@@ -148,7 +163,7 @@ public final class WSS4JUtils {
if (existingToken == null || existingToken.isExpired()) {
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + getSecurityTokenLifetime(message));
SecurityToken cachedTok = new SecurityToken(securityToken.getId(), created, expires);
cachedTok.setSHA1(securityToken.getSha1Identifier());
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index d891787..c59d16c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1896,7 +1896,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken secToken =
new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires);
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index d771190..33d3ea5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -45,6 +45,7 @@ import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
import org.apache.cxf.ws.security.wss4j.StaxSerializer;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.derivedKey.ConversationConstants;
@@ -810,7 +811,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken tempTok = new SecurityToken(id, created, expires);
tempTok.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
tempTok.setX509Certificate(
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index a23ad09..9ad0ee9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -602,7 +602,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000L);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken tempTok =
new SecurityToken(IDGenerator.generateID(null), created, expires);
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 61e388f..c70b5f7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -44,6 +44,7 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
import org.apache.cxf.ws.security.wss4j.StaxSerializer;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.crypto.Crypto;
@@ -914,7 +915,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken tempTok = new SecurityToken(
id,
encrKey.getEncryptedKeyElement(),
@@ -959,7 +960,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken tempTok =
new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
tempTok.setSecret(secret);
@@ -975,7 +976,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
// Store it in the cache
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
String encryptedKeyID = (String)encryptedKeyResult.get(WSSecurityEngineResult.TAG_ID);
SecurityToken tempTok = new SecurityToken(encryptedKeyID, created, expires);
@@ -1007,7 +1008,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken tempTok = new SecurityToken(utID, created, expires);
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
http://git-wip-us.apache.org/repos/asf/cxf/blob/85901843/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 15b2162..4e092d7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.crypto.Crypto;
@@ -329,7 +330,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
Date created = new Date();
Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
+ expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
SecurityToken tempTok =
new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
tempTok.setSecret(secret);