cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-6607) Cached STS-issued tokens are not renewed on expiry in delegation scenario
Date Thu, 24 Sep 2015 13:26:04 GMT

     [ https://issues.apache.org/jira/browse/CXF-6607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh updated CXF-6607:
-------------------------------------
    Affects Version/s: 3.1.3
                       3.0.6

> Cached STS-issued tokens are not renewed on expiry in delegation scenario
> -------------------------------------------------------------------------
>
>                 Key: CXF-6607
>                 URL: https://issues.apache.org/jira/browse/CXF-6607
>             Project: CXF
>          Issue Type: Bug
>          Components: STS
>    Affects Versions: 3.0.6, 3.1.3
>            Reporter: Andreas Vallen
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.0.7, 3.1.4
>
>
> Setting ws-security.cache.issued.token.in.endpoint" to "false" is the recommended setting
for a delegation scenario, where a webapp acts as an intermediary that requests tokens for
a webserivce on behalf of a WS-Federation SAML token.
> When this setting is effective however, we observe that tokens that have been issued
for use by the intermediary are not renewed on expiry.
> The following code in {{IssuedTokenInterceptorProvider}} may be the starting point of
this misbehaviour:
> {code}
>                     SecurityToken tok = retrieveCachedToken(message);
>                     if (tok == null) {
>                         tok = issueToken(message, aim, itok);
>                     } else {
>                         tok = renewToken(message, aim, itok, tok);
>                     }
> {code}
> With the above property set to false the issued token is cached in a different way than
expected by {{retrieveCachedToken}}, leading to the bypass of the token renewal.
> Instead the token is cached indirectly via the actAs or onBehalfOf token where it is
retrieved from by the #handleDelegation method of the same Interceptor.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message