Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3931

STS SAMLTokenValidator doesn't validate condition

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5
    • Fix Version/s: 2.5.1
    • Component/s: Services
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      The SAMLTokenValidator doesn't verify whether the condition in the SAML token meets the current time.

      1. diff.txt
        10 kB
        Oliver Wulff
      2. git.diff.patch
        29 kB
        Oliver Wulff

        Activity

        Hide
        owulff Oliver Wulff added a comment -

        acceptClientLifetime added

        Show
        owulff Oliver Wulff added a comment - acceptClientLifetime added
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Hi Oli,

        Yep that sounds good. I would also add a boolean whether to accept client lifetime requests at all (defaults to false).

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Hi Oli, Yep that sounds good. I would also add a boolean whether to accept client lifetime requests at all (defaults to false). Colm.
        Hide
        owulff Oliver Wulff added a comment -

        Hi Colm

        Agreed. I was first thinking in adding a parameter like "maxLifetime" with a meaningful default like (1 hour). I thought I didn't want to make too many changes but it really makes sense.

        What do you think?

        Oli

        Show
        owulff Oliver Wulff added a comment - Hi Colm Agreed. I was first thinking in adding a parameter like "maxLifetime" with a meaningful default like (1 hour). I thought I didn't want to make too many changes but it really makes sense. What do you think? Oli
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Hi Oli,

        Looks good apart from the change to DefaultConditionsProvider - the change means that the STS will issue tokens by default with the conditions requested by the client...potentially a security concern. Maybe we could make this behaviour pluggable or something.

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Hi Oli, Looks good apart from the change to DefaultConditionsProvider - the change means that the STS will issue tokens by default with the conditions requested by the client...potentially a security concern. Maybe we could make this behaviour pluggable or something. Colm.
        Hide
        owulff Oliver Wulff added a comment -

        Had to add support for the RST lifetime element in DefaultConditionsProvider to create testcase

        Show
        owulff Oliver Wulff added a comment - Had to add support for the RST lifetime element in DefaultConditionsProvider to create testcase

          People

          • Assignee:
            coheigea Colm O hEigeartaigh
            Reporter:
            owulff Oliver Wulff
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development