You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/04/19 11:45:40 UTC
cxf git commit: Checking null and negative OAuth2 lifetime property
Repository: cxf
Updated Branches:
refs/heads/master 679835fe2 -> 27824e144
Checking null and negative OAuth2 lifetime property
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/27824e14
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/27824e14
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/27824e14
Branch: refs/heads/master
Commit: 27824e14407cb2a4e1ef1a1c02a77a24ebe4b2bf
Parents: 679835f
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Tue Apr 19 10:45:18 2016 +0100
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Tue Apr 19 10:45:18 2016 +0100
----------------------------------------------------------------------
.../apache/cxf/rs/security/oauth2/utils/OAuthUtils.java | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/27824e14/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index a7f9dc6..c1a1474 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -187,8 +187,14 @@ public final class OAuthUtils {
}
public static boolean isExpired(Long issuedAt, Long lifetime) {
- return lifetime != 0L
- && issuedAt + lifetime < System.currentTimeMillis() / 1000L;
+ // At some point -1 was used to indicate an unlimited lifetime
+ // with 0 being introduced instead at a later stage.
+ // In theory there still could be a code around initializing the tokens with -1.
+ // Treating -1 and 0 the same way is reasonable and it also makes it easier to
+ // deal with the token introspection responses with no issuedAt time reported
+ return lifetime == null
+ || lifetime < -1
+ || lifetime > 0L && issuedAt + lifetime < System.currentTimeMillis() / 1000L;
}
public static boolean validateAudience(String providedAudience,