Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6859

STSTokenValidator: logging and exception handling improvement

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.6
    • Fix Version/s: 3.2.0
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      The STSTokenValidator doesn't log the reason of authentication error in case of local validation.

      The STSTokenValidator tries to validate token locally and, in case if it wasn't successful, delegate the validation to STS:

      public Credential validate(Credential credential, RequestData data) throws WSSecurityException {

      if (isValidatedLocally(credential, data))

      { return credential; }

      return validateWithSTS(credential, (Message)data.getMsgContext());
      }

      That causes a bit confusing error messages in log, if user rely on local validation only.

      For example, if STS certificate is missing in service keystore it throws:
      WARNING: Assertion can not be validated: java.lang.NullPointerException
      at org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityUtils.java:170)
      at org.apache.cxf.ws.security.trust.STSUtils.getClientWithIssuer(STSUtils.java:106)
      at org.apache.cxf.ws.security.trust.STSUtils.getClient(STSUtils.java:92)
      at org.apache.cxf.ws.security.trust.STSTokenValidator.validateWithSTS(STSTokenValidator.java:128)
      at org.apache.cxf.ws.security.trust.STSTokenValidator.validate(STSTokenValidator.java:80)
      at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:181)

      Then, to find a real reason of failed local validation it is necessary to debug the code.

      Suggestion: in case if alwaysValidateToSts is false (default value) log the reason of failed local validation on warning level.

        Attachments

          Activity

            People

            • Assignee:
              ashakirin Andrei Shakirin
              Reporter:
              ashakirin Andrei Shakirin
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: