cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrei Shakirin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-6859) STSTokenValidator: logging and exception handling improvement
Date Tue, 05 Apr 2016 18:54:25 GMT
Andrei Shakirin created CXF-6859:
------------------------------------

             Summary: STSTokenValidator: logging and exception handling improvement
                 Key: CXF-6859
                 URL: https://issues.apache.org/jira/browse/CXF-6859
             Project: CXF
          Issue Type: Improvement
          Components: JAX-RS Security
    Affects Versions: 3.1.6
            Reporter: Andrei Shakirin
            Assignee: Andrei Shakirin


The STSTokenValidator doesn't log the reason of authentication error in case of local validation.

The STSTokenValidator tries to validate token locally and, in case if it wasn't successful,
delegate the validation to STS:

    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
       
        if (isValidatedLocally(credential, data)) {
            return credential;
        }
        
        return validateWithSTS(credential, (Message)data.getMsgContext());
    }

That causes a bit confusing error messages in log, if user rely on local validation only.


For example, if STS certificate is missing in service keystore it throws:
WARNING: Assertion can not be validated: java.lang.NullPointerException
	at org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityUtils.java:170)
	at org.apache.cxf.ws.security.trust.STSUtils.getClientWithIssuer(STSUtils.java:106)
	at org.apache.cxf.ws.security.trust.STSUtils.getClient(STSUtils.java:92)
	at org.apache.cxf.ws.security.trust.STSTokenValidator.validateWithSTS(STSTokenValidator.java:128)
	at org.apache.cxf.ws.security.trust.STSTokenValidator.validate(STSTokenValidator.java:80)
	at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:181)

Then, to find a real reason of failed local validation it is necessary to debug the code.

Suggestion: in case if alwaysValidateToSts is false (default value) log the reason of failed
local validation on warning level.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message