Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.1.6
-
Fix Version/s: 3.2.0
-
Component/s: JAX-RS Security
-
Labels:None
-
Estimated Complexity:Unknown
Description
The STSTokenValidator doesn't log the reason of authentication error in case of local validation.
The STSTokenValidator tries to validate token locally and, in case if it wasn't successful, delegate the validation to STS:
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
if (isValidatedLocally(credential, data))
{ return credential; } return validateWithSTS(credential, (Message)data.getMsgContext());
}
That causes a bit confusing error messages in log, if user rely on local validation only.
For example, if STS certificate is missing in service keystore it throws:
WARNING: Assertion can not be validated: java.lang.NullPointerException
at org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityUtils.java:170)
at org.apache.cxf.ws.security.trust.STSUtils.getClientWithIssuer(STSUtils.java:106)
at org.apache.cxf.ws.security.trust.STSUtils.getClient(STSUtils.java:92)
at org.apache.cxf.ws.security.trust.STSTokenValidator.validateWithSTS(STSTokenValidator.java:128)
at org.apache.cxf.ws.security.trust.STSTokenValidator.validate(STSTokenValidator.java:80)
at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:181)
Then, to find a real reason of failed local validation it is necessary to debug the code.
Suggestion: in case if alwaysValidateToSts is false (default value) log the reason of failed local validation on warning level.