You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2018/11/28 16:06:24 UTC
svn commit: r1847653 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/cache/
ws-security-common/src/test/java/org/apache/wss4j/common/cache/
ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ ws-securit...
Author: coheigea
Date: Wed Nov 28 16:06:23 2018
New Revision: 1847653
URL: http://svn.apache.org/viewvc?rev=1847653&view=rev
Log:
WSS-637 - Refactor ReplayCache interface to use an expirty Instant instead of a long TTL value
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/EHCacheReplayCache.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/MemoryReplayCache.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java
webservices/wss4j/trunk/ws-security-common/src/test/java/org/apache/wss4j/common/cache/ReplayCacheTest.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/UsernameTokenValidator.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/EHCacheReplayCache.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/EHCacheReplayCache.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/EHCacheReplayCache.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/EHCacheReplayCache.java Wed Nov 28 16:06:23 2018
@@ -20,6 +20,7 @@
package org.apache.wss4j.common.cache;
import java.net.URL;
+import java.time.Instant;
import java.util.concurrent.atomic.AtomicInteger;
import net.sf.ehcache.Cache;
@@ -100,24 +101,24 @@ public class EHCacheReplayCache implemen
* @param identifier The identifier to be added
*/
public void add(String identifier) {
- add(identifier, ttl);
+ add(identifier, Instant.now().plusSeconds(DEFAULT_TTL));
}
/**
* Add the given identifier to the cache to be cached for the given time
* @param identifier The identifier to be added
- * @param timeToLive The length of time to cache the Identifier in seconds
+ * @param expiry A custom expiry time for the identifier
*/
- public void add(String identifier, long timeToLive) {
+ public void add(String identifier, Instant expiry) {
if (identifier == null || "".equals(identifier)) {
return;
}
- int parsedTTL = (int)timeToLive;
- if (timeToLive != (long)parsedTTL || parsedTTL < 0 || parsedTTL > MAX_TTL) {
+ int parsedTTL = (int)(expiry.getEpochSecond() - Instant.now().getEpochSecond());
+ if (parsedTTL < 0 || parsedTTL > MAX_TTL) {
// Default to configured value
parsedTTL = (int)ttl;
- if (ttl != (long)parsedTTL) {
+ if (ttl != parsedTTL) {
// Fall back to 60 minutes if the default TTL is set incorrectly
parsedTTL = 3600;
}
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/MemoryReplayCache.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/MemoryReplayCache.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/MemoryReplayCache.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/MemoryReplayCache.java Wed Nov 28 16:06:23 2018
@@ -47,31 +47,30 @@ public class MemoryReplayCache implement
* @param identifier The identifier to be added
*/
public void add(String identifier) {
- add(identifier, DEFAULT_TTL);
+ add(identifier, Instant.now().plusSeconds(DEFAULT_TTL));
}
/**
* Add the given identifier to the cache to be cached for the given time
* @param identifier The identifier to be added
- * @param timeToLive The length of time to cache the Identifier in seconds
+ * @param expiry A custom expiry time for the identifier
*/
- public void add(String identifier, long timeToLive) {
+ public void add(String identifier, Instant expiry) {
if (identifier == null || "".equals(identifier)) {
return;
}
- long ttl = timeToLive;
- if (ttl < 0 || ttl > MAX_TTL) {
- ttl = DEFAULT_TTL;
+ Instant now = Instant.now();
+ Instant maxTTL = now.plusSeconds(MAX_TTL);
+ if (expiry == null || expiry.isBefore(now) || expiry.isAfter(maxTTL)) {
+ expiry = now.plusSeconds(DEFAULT_TTL);
}
- Instant expires = Instant.now().plusSeconds(ttl);
-
synchronized (cache) {
- List<String> list = cache.get(expires);
+ List<String> list = cache.get(expiry);
if (list == null) {
list = new ArrayList<>(1);
- cache.put(expires, list);
+ cache.put(expiry, list);
}
list.add(identifier);
}
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java Wed Nov 28 16:06:23 2018
@@ -20,6 +20,7 @@
package org.apache.wss4j.common.cache;
import java.io.Closeable;
+import java.time.Instant;
/**
* A cache to store (String) identifiers to avoid replay attacks. An example of such an identifier
@@ -36,9 +37,9 @@ public interface ReplayCache extends Clo
/**
* Add the given identifier to the cache to be cached for the given time
* @param identifier The identifier to be added
- * @param timeToLive The length of time to cache the Identifier in seconds
+ * @param expiry A custom expiry time for the identifier
*/
- void add(String identifier, long timeToLive);
+ void add(String identifier, Instant expiry);
/**
* Return true if the given identifier is contained in the cache
Modified: webservices/wss4j/trunk/ws-security-common/src/test/java/org/apache/wss4j/common/cache/ReplayCacheTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/test/java/org/apache/wss4j/common/cache/ReplayCacheTest.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/test/java/org/apache/wss4j/common/cache/ReplayCacheTest.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/test/java/org/apache/wss4j/common/cache/ReplayCacheTest.java Wed Nov 28 16:06:23 2018
@@ -21,6 +21,7 @@ package org.apache.wss4j.common.cache;
import java.io.IOException;
import java.net.URL;
+import java.time.Instant;
import java.util.UUID;
import org.junit.Assert;
@@ -58,12 +59,12 @@ public class ReplayCacheTest extends Ass
// Test specifying TTL caches OK
id = UUID.randomUUID().toString();
- replayCache.add(id, 100L);
+ replayCache.add(id, Instant.now().plusSeconds(100L));
assertTrue(replayCache.contains(id));
// Test expiration
id = UUID.randomUUID().toString();
- replayCache.add(id, 1L);
+ replayCache.add(id, Instant.now().plusSeconds(1L));
Thread.sleep(1250L);
assertFalse(replayCache.contains(id));
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Wed Nov 28 16:06:23 2018
@@ -26,8 +26,6 @@ import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
-import java.time.Duration;
-import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -566,7 +564,7 @@ public class SignatureProcessor implemen
// Set the Transform algorithms as well
@SuppressWarnings("unchecked")
- List<Transform> transforms = (List<Transform>)siRef.getTransforms();
+ List<Transform> transforms = siRef.getTransforms();
List<String> transformAlgorithms = new ArrayList<>(transforms.size());
for (Transform transform : transforms) {
transformAlgorithms.add(transform.getAlgorithm());
@@ -683,11 +681,10 @@ public class SignatureProcessor implemen
// Store the Timestamp/SignatureValue/Key combination in the cache
if (timeStamp.getExpires() != null) {
- replayCache.add(identifier, 1L + Duration.between(Instant.now(), timeStamp.getExpires()).getSeconds());
+ replayCache.add(identifier, timeStamp.getExpires());
} else {
replayCache.add(identifier);
}
-
}
/**
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java Wed Nov 28 16:06:23 2018
@@ -159,7 +159,7 @@ public class UsernameTokenProcessor impl
if (created == null || utTTL <= 0) {
replayCache.add(ut.getNonce());
} else {
- replayCache.add(ut.getNonce(), utTTL + 1L);
+ replayCache.add(ut.getNonce(), Instant.now().plusSeconds(utTTL));
}
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java Wed Nov 28 16:06:23 2018
@@ -19,7 +19,6 @@
package org.apache.wss4j.dom.validate;
-import java.time.Duration;
import java.time.Instant;
import java.util.List;
@@ -262,9 +261,8 @@ public class SamlAssertionValidator exte
DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter();
if (expires != null) {
- Instant currentTime = Instant.now();
Instant zonedExpires = Instant.ofEpochMilli(expires.getMillis());
- replayCache.add(identifier, 1L + Duration.between(currentTime, zonedExpires).getSeconds());
+ replayCache.add(identifier, zonedExpires);
} else {
replayCache.add(identifier);
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/UsernameTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/UsernameTokenValidator.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/UsernameTokenValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/UsernameTokenValidator.java Wed Nov 28 16:06:23 2018
@@ -103,7 +103,7 @@ public class UsernameTokenValidator impl
* Verify a UsernameToken containing a password of some unknown (but specified) password
* type. It does this by querying a CallbackHandler instance to obtain a password for the
* given username, and then comparing it against the received password.
- * This method currently uses the same LOG.c as the verifyPlaintextPassword case, but it in
+ * This method currently uses the same logic as the verifyPlaintextPassword case, but it in
* a separate protected method to allow users to override the validation of the custom
* password type specific case.
* @param usernameToken The UsernameToken instance to verify
@@ -118,7 +118,7 @@ public class UsernameTokenValidator impl
* Verify a UsernameToken containing a plaintext password. It does this by querying a
* CallbackHandler instance to obtain a password for the given username, and then comparing
* it against the received password.
- * This method currently uses the same LOG.c as the verifyDigestPassword case, but it in
+ * This method currently uses the same logic as the verifyDigestPassword case, but it in
* a separate protected method to allow users to override the validation of the plaintext
* password specific case.
* @param usernameToken The UsernameToken instance to verify
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/UsernameTokenInputHandler.java Wed Nov 28 16:06:23 2018
@@ -93,7 +93,7 @@ public class UsernameTokenInputHandler e
if (created == null || utTTL <= 0) {
replayCache.add(nonce);
} else {
- replayCache.add(nonce, utTTL + 1L);
+ replayCache.add(nonce, Instant.now().plusSeconds(utTTL));
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java Wed Nov 28 16:06:23 2018
@@ -22,7 +22,6 @@ import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoField;
import java.util.Arrays;
@@ -323,8 +322,7 @@ public class WSSSignatureReferenceVerify
// Store the Timestamp/SignatureValue combination in the cache
Instant expires = timestampSecurityEvent.getExpires();
if (expires != null) {
- Instant currentTime = Instant.now();
- replayCache.add(cacheKey, 1L + Duration.between(currentTime, expires).getSeconds());
+ replayCache.add(cacheKey, expires);
} else {
replayCache.add(cacheKey);
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1847653&r1=1847652&r2=1847653&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java Wed Nov 28 16:06:23 2018
@@ -18,7 +18,6 @@
*/
package org.apache.wss4j.stax.validate;
-import java.time.Duration;
import java.time.Instant;
import java.util.List;
@@ -260,8 +259,8 @@ public class SamlTokenValidatorImpl exte
DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter();
if (expires != null) {
- Instant currentTime = Instant.now();
- replayCache.add(identifier, 1L + Duration.between(currentTime, expires.toDate().toInstant()).getSeconds());
+ Instant zonedExpires = Instant.ofEpochMilli(expires.getMillis());
+ replayCache.add(identifier, zonedExpires);
} else {
replayCache.add(identifier);
}