cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: STSClient: too permissive?
Date Thu, 15 Aug 2013 20:32:32 GMT

On Aug 15, 2013, at 3:55 PM, Al Le <al.le@gmx.de> wrote:

> Hello.
> 
> I study the code of the STS Client, specifically the part where the
> returned token is extracted from the response. If I understand it
> correctly, the code is too permissive.
> 
> In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token
> Collection), it reads:
> 
>> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
>> be used to return a security token
> 
> But in the code (AbstractSTSClient.java:1246, i.e. the method "createSecurityToken")
both "RequestSecurityTokenResponseCollection" and "RequestSecurityTokenResponse" are accepted.
> 
> Has it beed made to not to reject tokens issued by some wide spread implementation? Or
is it a (minor) bug (or, better said, an inaccuracy)?

Part of being "generic".   WS-Trust 1.0 didn't have a RequestSecurityTokenResponseCollection.
 The RequestSecurityTokenResponse element is directly in the response.  Since the STSClient
is designed to work for both 1.0 and 1.3, we have to support both.   THAT said, we could check
which namespace is being used and adjust accordingly.



-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message