Skip to content

Commit 713e5fb

Browse files
committed
CXF-9221: JCache providers use inverted isExpired() logic causing expired tokens/codes to never be evicted (#3240)
(cherry picked from commit d462fe0)
1 parent 4636c6c commit 713e5fb

4 files changed

Lines changed: 62 additions & 2 deletions

File tree

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
3333
import org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider;
3434
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
35+
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
3536

3637
public class JCacheCodeDataProvider extends JCacheOAuthDataProvider
3738
implements AuthorizationCodeDataProvider {
@@ -133,7 +134,7 @@ protected ServerAuthorizationCodeGrant getCodeGrant(String code) throws OAuthSer
133134
}
134135

135136
protected static boolean isExpired(ServerAuthorizationCodeGrant grant) {
136-
return System.currentTimeMillis() < (grant.getIssuedAt() + grant.getExpiresIn());
137+
return OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn());
137138
}
138139

139140
@Override

rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
4040
import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
4141
import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
42+
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
4243

4344
import static org.apache.cxf.jaxrs.utils.ResourceUtils.getClasspathResourceURL;
4445

@@ -274,7 +275,7 @@ protected List<ServerAccessToken> getJwtAccessTokens(Client client, UserSubject
274275
}
275276

276277
protected static boolean isExpired(ServerAccessToken token) {
277-
return System.currentTimeMillis() < (token.getIssuedAt() + token.getExpiresIn());
278+
return OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn());
278279
}
279280

280281
protected static CacheManager createCacheManager(String configFile, Bus bus) {

rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProviderTest.java

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,32 @@ public void testAddGetDeleteCodeGrants2() {
8787
assertNotNull(grants);
8888
assertEquals(0, grants.size());
8989
}
90+
91+
@Test
92+
public void testAddGetExpiredCodeGrants() throws InterruptedException {
93+
Client c = addClient("111", "bob");
94+
95+
AuthorizationCodeRegistration atr = new AuthorizationCodeRegistration();
96+
atr.setClient(c);
97+
atr.setApprovedScope(Collections.singletonList("a"));
98+
atr.setSubject(c.getResourceOwnerSubject());
99+
100+
provider.setCodeLifetime(2 /* 2 seconds */);
101+
provider.createCodeGrant(atr);
102+
103+
List<ServerAuthorizationCodeGrant> grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
104+
assertNotNull(grants);
105+
assertEquals(1, grants.size());
106+
107+
Thread.sleep(3000); /* 3 seconds, grant definitely expires */
108+
grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
109+
assertEquals(0, grants.size());
110+
111+
provider.removeClient(c.getClientId());
112+
grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
113+
assertNotNull(grants);
114+
assertEquals(0, grants.size());
115+
}
90116

91117
private Client addClient(String clientId, String userLogin) {
92118
Client c = new Client();

rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProviderTest.java

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,18 @@
1818
*/
1919
package org.apache.cxf.rs.security.oauth2.provider;
2020

21+
import java.util.Collections;
22+
import java.util.List;
23+
24+
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
25+
import org.apache.cxf.rs.security.oauth2.common.Client;
26+
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
27+
2128
import org.junit.Before;
29+
import org.junit.Test;
30+
31+
import static org.junit.Assert.assertEquals;
32+
import static org.junit.Assert.assertNotNull;
2233

2334
public class JCacheOAuthDataProviderTest extends AbstractOAuthDataProviderTest {
2435

@@ -29,4 +40,25 @@ public void setUp() throws Exception {
2940
setProvider(provider);
3041
}
3142

43+
@Test
44+
public void testAddGetExpiredAccessToken() throws InterruptedException {
45+
Client c = addClient("102", "bob");
46+
47+
AccessTokenRegistration atr = new AccessTokenRegistration();
48+
atr.setClient(c);
49+
atr.setApprovedScope(Collections.singletonList("a"));
50+
atr.setSubject(c.getResourceOwnerSubject());
51+
52+
getProvider().setAccessTokenLifetime(2 /* 2 seconds */);
53+
getProvider().createAccessToken(atr);
54+
List<ServerAccessToken> tokens = getProvider().getAccessTokens(c, null);
55+
assertNotNull(tokens);
56+
assertEquals(1, tokens.size());
57+
58+
Thread.sleep(3000); /* 3 seconds, token definitely expires */
59+
tokens = getProvider().getAccessTokens(c, null);
60+
assertEquals(0, tokens.size());
61+
62+
getProvider().removeClient(c.getClientId());
63+
}
3264
}

0 commit comments

Comments
 (0)