You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/03 12:02:47 UTC
cxf git commit: Updating OIDC RP filter to check if the context ID
token has expired
Repository: cxf
Updated Branches:
refs/heads/master a3023aa0d -> 2df002245
Updating OIDC RP filter to check if the context ID token has expired
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2df00224
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2df00224
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2df00224
Branch: refs/heads/master
Commit: 2df002245e1fdc60020e110d6d290d3d13d305ad
Parents: a3023aa
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Feb 3 11:02:32 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Feb 3 11:02:32 2016 +0000
----------------------------------------------------------------------
.../security/oidc/rp/OidcRpAuthenticationFilter.java | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2df00224/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
index 43950fe..3cead95 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
@@ -36,11 +36,15 @@ import javax.ws.rs.core.UriBuilder;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.jaxrs.ext.MessageContextImpl;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtException;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
@PreMatching
@Priority(Priorities.AUTHENTICATION)
@@ -77,9 +81,17 @@ public class OidcRpAuthenticationFilter implements ContainerRequestFilter {
if (tokenContext == null) {
return false;
}
+ IdToken idToken = tokenContext.getIdToken();
+ try {
+ // If ID token has expired then the context is no longer valid
+ JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null);
+ } catch (JwtException ex) {
+ stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage()));
+ return false;
+ }
OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl();
newTokenContext.setToken(tokenContext.getToken());
- newTokenContext.setIdToken(tokenContext.getIdToken());
+ newTokenContext.setIdToken(idToken);
newTokenContext.setUserInfo(tokenContext.getUserInfo());
newTokenContext.setState(toRequestState(rc));
JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext);