You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/04/19 11:45:40 UTC

cxf git commit: Checking null and negative OAuth2 lifetime property

Repository: cxf
Updated Branches:
  refs/heads/master 679835fe2 -> 27824e144


Checking null and negative OAuth2 lifetime property


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/27824e14
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/27824e14
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/27824e14

Branch: refs/heads/master
Commit: 27824e14407cb2a4e1ef1a1c02a77a24ebe4b2bf
Parents: 679835f
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Tue Apr 19 10:45:18 2016 +0100
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Tue Apr 19 10:45:18 2016 +0100

----------------------------------------------------------------------
 .../apache/cxf/rs/security/oauth2/utils/OAuthUtils.java   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/27824e14/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index a7f9dc6..c1a1474 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -187,8 +187,14 @@ public final class OAuthUtils {
     }
     
     public static boolean isExpired(Long issuedAt, Long lifetime) {
-        return lifetime != 0L
-            && issuedAt + lifetime < System.currentTimeMillis() / 1000L;
+        // At some point -1 was used to indicate an unlimited lifetime
+        // with 0 being introduced instead at a later stage. 
+        // In theory there still could be a code around initializing the tokens with -1. 
+        // Treating -1 and 0 the same way is reasonable and it also makes it easier to
+        // deal with the token introspection responses with no issuedAt time reported
+        return lifetime == null
+            || lifetime < -1
+            || lifetime > 0L && issuedAt + lifetime < System.currentTimeMillis() / 1000L;
     }
     
     public static boolean validateAudience(String providedAudience,