cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Al Le <>
Subject STSClient: too permissive?
Date Thu, 15 Aug 2013 19:55:40 GMT

I study the code of the STS Client, specifically the part where the
returned token is extracted from the response. If I understand it
correctly, the code is too permissive.

In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token
Collection), it reads:

> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
> be used to return a security token

But in the code (, i.e. the method 
"createSecurityToken") both "RequestSecurityTokenResponseCollection" and 
"RequestSecurityTokenResponse" are accepted.

Has it beed made to not to reject tokens issued by some wide spread 
implementation? Or is it a (minor) bug (or, better said, an inaccuracy)?


View raw message