Merge pull request #1485 from ivassile/JBEAP-20939

[ELY-2069] JWT token validation uses int instead of long for the dates: exp (expiration) and nbf
wildfly-security · Mar 18, 2021 · aee5147 · aee5147
2 parents f340095 + 54f61c8
commit aee5147
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/...alm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java b/...alm/token/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
@@ -135,16 +135,17 @@ && verifyTimeConstraints(claims)) {
     }
 
     private boolean verifyTimeConstraints(JsonObject claims) {
-        int currentTime = currentTimeInSeconds();
-        boolean expired = currentTime > claims.getInt("exp", -1);
+        long currentTime = currentTimeInSeconds();
+        if (claims.containsKey("exp")) {
+            boolean expired = currentTime > claims.getJsonNumber("exp").longValue();
 
-        if (expired) {
-            log.debug("Token expired");
-            return false;
+            if (expired) {
+                log.debug("Token expired");
+                return false;
+            }
         }
-
         if (claims.containsKey("nbf")) {
-            boolean notBefore = currentTime >= claims.getInt("nbf");
+            boolean notBefore = currentTime >= claims.getJsonNumber("nbf").longValue();
 
             if (!notBefore) {
                 log.debugf("Token is before [%s]", notBefore);
@@ -314,8 +315,8 @@ private PublicKey resolvePublicKey(JsonObject headers) {
         }
     }
 
-    private static int currentTimeInSeconds() {
-        return ((int) (System.currentTimeMillis() / 1000));
+    private static long currentTimeInSeconds() {
+        return System.currentTimeMillis() / 1000;
     }
 
     public static class Builder {