This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 8a43eb533f01f54c1f8743d0dc596449eee340a1 Author: Robert Lazarski <[email protected]> AuthorDate: Tue Jun 9 14:25:12 2026 -1000 RAMPART-337: also retire expired tokens on SimpleTokenStore.update() Follow-up to the Gemini review of the RAMPART-337 fix: perform the expired-token cleanup on update() as well as add(), so the store is bounded on every write path (e.g. update/renew-heavy workloads), not only when new tokens are added. Adds SimpleTokenStoreTest.testUpdateRetiresExpiredTokens. Verified with a full clean -Papache-release verify (all modules, all tests including the 9 policy samples) on JDK 25. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --- .../org/apache/rahas/SimpleTokenStoreTest.java | 24 ++++++++++++++++++++++ .../java/org/apache/rahas/SimpleTokenStore.java | 7 +++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/modules/rampart-tests/src/test/java/org/apache/rahas/SimpleTokenStoreTest.java b/modules/rampart-tests/src/test/java/org/apache/rahas/SimpleTokenStoreTest.java index d479396b..0721c4f5 100644 --- a/modules/rampart-tests/src/test/java/org/apache/rahas/SimpleTokenStoreTest.java +++ b/modules/rampart-tests/src/test/java/org/apache/rahas/SimpleTokenStoreTest.java @@ -173,6 +173,30 @@ public class SimpleTokenStoreTest extends TestCase { } } + public void testUpdateRetiresExpiredTokens() { + // RAMPART-337: cleanup must also happen on update(), not just add(). + SimpleTokenStore store = new SimpleTokenStore(); + // Large grace so the tokens survive the add() calls below. + store.setExpiredTokenGracePeriodMillis(10 * 60 * 1000L); + try { + store.add(getTestToken("expired-1", new Date(System.currentTimeMillis() - 1000))); + Token toUpdate = getTestToken("valid-1", new Date(System.currentTimeMillis() + 60000)); + store.add(toUpdate); + assertEquals("Both tokens should be present before update", 2, store.getTokenIdentifiers().length); + + // Make expired tokens eligible for removal, then update the valid token. + store.setExpiredTokenGracePeriodMillis(0); + toUpdate.setState(Token.RENEWED); + store.update(toUpdate); + + String[] ids = store.getTokenIdentifiers(); + assertEquals("update() should have retired the expired token", 1, ids.length); + assertEquals("Only the updated token should remain", "valid-1", ids[0]); + } catch (TrustException e) { + fail(e.getMessage()); + } + } + private Token getTestToken(String tokenId) throws TrustException { return getTestToken(tokenId, new Date()); diff --git a/modules/rampart-trust/src/main/java/org/apache/rahas/SimpleTokenStore.java b/modules/rampart-trust/src/main/java/org/apache/rahas/SimpleTokenStore.java index e7e0e2b9..ab4ca915 100644 --- a/modules/rampart-trust/src/main/java/org/apache/rahas/SimpleTokenStore.java +++ b/modules/rampart-trust/src/main/java/org/apache/rahas/SimpleTokenStore.java @@ -129,9 +129,12 @@ public class SimpleTokenStore implements TokenStorage, Serializable { if (token != null && token.getId() != null && token.getId().trim().length() != 0) { - writeLock.lock(); - + writeLock.lock(); + try { + // Retire long-expired tokens on update as well as add, so the + // store is bounded even under update/renew-heavy workloads (RAMPART-337). + removeExpiredTokens(); if (!this.tokens.keySet().contains(token.getId())) { throw new TrustException("noTokenToUpdate", new String[]{token.getId()}); }
