Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6607

Cached STS-issued tokens are not renewed on expiry in delegation scenario

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6, 3.1.3
    • Fix Version/s: 3.0.7, 3.1.4
    • Component/s: STS
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Setting ws-security.cache.issued.token.in.endpoint" to "false" is the recommended setting for a delegation scenario, where a webapp acts as an intermediary that requests tokens for a webserivce on behalf of a WS-Federation SAML token.

      When this setting is effective however, we observe that tokens that have been issued for use by the intermediary are not renewed on expiry.

      The following code in IssuedTokenInterceptorProvider may be the starting point of this misbehaviour:

                          SecurityToken tok = retrieveCachedToken(message);
                          if (tok == null) {
                              tok = issueToken(message, aim, itok);
                          } else {
                              tok = renewToken(message, aim, itok, tok);
                          }
      

      With the above property set to false the issued token is cached in a different way than expected by retrieveCachedToken, leading to the bypass of the token renewal.

      Instead the token is cached indirectly via the actAs or onBehalfOf token where it is retrieved from by the #handleDelegation method of the same Interceptor.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              avallen Andreas Vallen
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: