cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Al Le <al...@gmx.de>
Subject STSClient: too permissive?
Date Thu, 15 Aug 2013 19:55:40 GMT
Hello.

I study the code of the STS Client, specifically the part where the
returned token is extracted from the response. If I understand it
correctly, the code is too permissive.

In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token
Collection), it reads:

> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
> be used to return a security token

But in the code (AbstractSTSClient.java:1246, i.e. the method 
"createSecurityToken") both "RequestSecurityTokenResponseCollection" and 
"RequestSecurityTokenResponse" are accepted.

Has it beed made to not to reject tokens issued by some wide spread 
implementation? Or is it a (minor) bug (or, better said, an inaccuracy)?

AL

Mime
View raw message