View Javadoc
1   /*
2    * Copyright 2008 Web Cohesion
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.springframework.security.oauth.provider.nonce;
18  
19  import org.springframework.security.authentication.CredentialsExpiredException;
20  import org.springframework.security.core.AuthenticationException;
21  import org.springframework.security.oauth.provider.ConsumerDetails;
22  
23  /**
24   * Nonce services that only validates the timestamp of a consumer request.  The nonce
25   * is not checked for replay attacks. 
26   *
27   * The timestamp is interpreted as the number of seconds from January 1, 1970 00:00:00 GMT.  If the timestamp
28   * is older than the configured validity window, the nonce is not valid. The default validity window is
29   * 12 hours.
30   *
31   * @author Ryan Heaton
32   */
33  public class ExpiringTimestampNonceServices implements OAuthNonceServices {
34  
35    private long validityWindowSeconds = 60 * 60 * 12; //we'll default to a 12-hour validity window.
36  
37    public void validateNonce(ConsumerDetails consumerDetails, long timestamp, String nonce) throws AuthenticationException {
38      long nowSeconds = (System.currentTimeMillis() / 1000);
39      if ((nowSeconds - timestamp) > getValidityWindowSeconds()) {
40        throw new CredentialsExpiredException("Expired timestamp.");
41      }
42    }
43  
44    /**
45     * Set the timestamp validity window (in seconds).
46     *
47     * @return the timestamp validity window (in seconds).
48     */
49    public long getValidityWindowSeconds() {
50      return validityWindowSeconds;
51    }
52  
53    /**
54     * The timestamp validity window (in seconds).
55     *
56     * @param validityWindowSeconds the timestamp validity window (in seconds).
57     */
58    public void setValidityWindowSeconds(long validityWindowSeconds) {
59      this.validityWindowSeconds = validityWindowSeconds;
60    }
61  }