[
https://issues.apache.org/jira/browse/CXF-2524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774068#action_12774068
]
Oliver Wulff commented on CXF-2524:
-----------------------------------
I went through the CXF code and found only one location where
SecurityToken.getExpires is called:
MemoryTokenStore.java:
>>>
protected void processTokenExpiry() {
long time = System.currentTimeMillis();
for (SecurityToken token : tokens.values()) {
if (token.getState() == State.EXPIRED
|| token.getState() == State.CANCELLED) {
if (autoRemove) {
remove(token);
}
} else if (token.getExpires() != null
&& token.getExpires().getTimeInMillis() < time) {
token.setState(SecurityToken.State.EXPIRED);
if (autoRemove) {
remove(token);
}
}
}
}
>>>
This code can handle a null value for expires and therefore it should be safe
to implement the proposed fix.
> STSClient requires Lifetime element in RSTR
> -------------------------------------------
>
> Key: CXF-2524
> URL: https://issues.apache.org/jira/browse/CXF-2524
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.2.4
> Reporter: Oliver Wulff
>
> The STSClient in CXF requires that an STS returns the Lifetime element which
> is optional as per WS-Trust 1.3 spec:
> [http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html]
> >>>
> 4.4 Returning a Security Token
> ...
> wst:RequestSecurityTokenResponse/wst:Lifetime
> This optional element specifies the lifetime of the issued security token.
> If omitted the lifetime is unspecified (not necessarily unlimited). It is
> RECOMMENDED that if a lifetime exists for a token that this element be
> included in the response.
> >>>
> STSClient.java:
> ...
> while (el != null) {
> String ln = el.getLocalName();
> if (namespace.equals(el.getNamespaceURI())) {
> if ("Lifetime".equals(ln)) {
> lte = el;
> ...
> SecurityToken token = new SecurityToken(id, rstDec, lte);
> ...
> SecurityToken.java:
> ...
> public SecurityToken(String id,
> Element tokenElem,
> Element lifetimeElem) {
> this.id = id;
> this.token = cloneElement(tokenElem);
> this.processLifeTime(lifetimeElem);
> ...
> /**
> * @param lifetimeElem
> * @throws TrustException
> */
> private void processLifeTime(Element lifetimeElem) {
> try {
> DatatypeFactory factory = DatatypeFactory.newInstance();
>
> Element createdElem =
> DOMUtils.getFirstChildWithName(lifetimeElem,
> WSConstants.WSU_NS,
> WSConstants.CREATED_LN);
> this.created =
> factory.newXMLGregorianCalendar(DOMUtils.getContent(createdElem))
> .toGregorianCalendar();
> Element expiresElem =
> DOMUtils.getFirstChildWithName(lifetimeElem,
> WSConstants.WSU_NS,
> WSConstants.EXPIRES_LN);
> this.expires =
> factory.newXMLGregorianCalendar(DOMUtils.getContent(expiresElem))
> .toGregorianCalendar();
> } catch (DatatypeConfigurationException e) {
> //shouldn't happen
> If "null" is passed to processLifeTime a NPE occurs. If the CXF internals
> don't depend on the lifetime the following might fix it already:
> ...
> public SecurityToken(String id,
> Element tokenElem,
> Element lifetimeElem) {
> this.id = id;
> this.token = cloneElement(tokenElem);
> if (lifetimeElem !=null) this.processLifeTime(lifetimeElem);
> ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
