Skip to content

Commit 46f9039

Browse files
committed
CXF-9221: JCache providers use inverted isExpired() logic causing expired tokens/codes to never be evicted
1 parent bb10fd8 commit 46f9039

4 files changed

Lines changed: 57 additions & 2 deletions

File tree

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
3333
import org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider;
3434
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
35+
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
3536

3637
public class JCacheCodeDataProvider extends JCacheOAuthDataProvider
3738
implements AuthorizationCodeDataProvider {
@@ -133,7 +134,7 @@ protected ServerAuthorizationCodeGrant getCodeGrant(String code) throws OAuthSer
133134
}
134135

135136
protected static boolean isExpired(ServerAuthorizationCodeGrant grant) {
136-
return System.currentTimeMillis() < (grant.getIssuedAt() + grant.getExpiresIn());
137+
return OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn());
137138
}
138139

139140
@Override

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
4040
import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
4141
import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
42+
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
4243

4344
import static org.apache.cxf.jaxrs.utils.ResourceUtils.getClasspathResourceURL;
4445

@@ -274,7 +275,7 @@ protected List<ServerAccessToken> getJwtAccessTokens(Client client, UserSubject
274275
}
275276

276277
protected static boolean isExpired(ServerAccessToken token) {
277-
return System.currentTimeMillis() < (token.getIssuedAt() + token.getExpiresIn());
278+
return OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn());
278279
}
279280

280281
protected static CacheManager createCacheManager(String configFile, Bus bus) {

rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProviderTest.java

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,32 @@ public void testAddGetDeleteCodeGrants2() {
8787
assertNotNull(grants);
8888
assertEquals(0, grants.size());
8989
}
90+
91+
@Test
92+
public void testAddGetExpiredCodeGrants() throws InterruptedException {
93+
Client c = addClient("111", "bob");
94+
95+
AuthorizationCodeRegistration atr = new AuthorizationCodeRegistration();
96+
atr.setClient(c);
97+
atr.setApprovedScope(Collections.singletonList("a"));
98+
atr.setSubject(c.getResourceOwnerSubject());
99+
100+
provider.setCodeLifetime(2 /* 2 seconds */);
101+
provider.createCodeGrant(atr);
102+
103+
List<ServerAuthorizationCodeGrant> grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
104+
assertNotNull(grants);
105+
assertEquals(1, grants.size());
106+
107+
Thread.sleep(3000); /* 3 seconds, grant definitely expires */
108+
grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
109+
assertEquals(0, grants.size());
110+
111+
provider.removeClient(c.getClientId());
112+
grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
113+
assertNotNull(grants);
114+
assertEquals(0, grants.size());
115+
}
90116

91117
private Client addClient(String clientId, String userLogin) {
92118
Client c = new Client();

rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProviderTest.java

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,33 @@ public void testAddGetDeleteAccessToken2() {
201201
assertEquals(0, tokens.size());
202202
}
203203

204+
@Test
205+
public void testAddGetExpiredAccessToken() throws InterruptedException {
206+
Client c = addClient("102", "bob");
207+
208+
AccessTokenRegistration atr = new AccessTokenRegistration();
209+
atr.setClient(c);
210+
atr.setApprovedScope(Collections.singletonList("a"));
211+
atr.setSubject(c.getResourceOwnerSubject());
212+
213+
getProvider().setAccessTokenLifetime(2 /* 2 seconds */);
214+
getProvider().createAccessToken(atr);
215+
List<ServerAccessToken> tokens = getProvider().getAccessTokens(c, null);
216+
assertNotNull(tokens);
217+
assertEquals(1, tokens.size());
218+
validateAccessToken(tokens.get(0));
219+
220+
Thread.sleep(3000); /* 3 seconds, token definitely expires */
221+
tokens = getProvider().getAccessTokens(c, null);
222+
assertEquals(0, tokens.size());
223+
224+
getProvider().removeClient(c.getClientId());
225+
226+
tokens = getProvider().getAccessTokens(c, null);
227+
assertNotNull(tokens);
228+
assertEquals(0, tokens.size());
229+
}
230+
204231
@Test
205232
public void testAddGetDeleteAccessTokenWithNullSubject() {
206233
Client c = addClient("102", "bob");

0 commit comments

Comments
 (0)