You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Al Le <al...@gmx.de> on 2013/08/15 21:55:40 UTC

STSClient: too permissive?

Hello.

I study the code of the STS Client, specifically the part where the
returned token is extracted from the response. If I understand it
correctly, the code is too permissive.

In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token
Collection), it reads:

> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
> be used to return a security token

But in the code (AbstractSTSClient.java:1246, i.e. the method 
"createSecurityToken") both "RequestSecurityTokenResponseCollection" and 
"RequestSecurityTokenResponse" are accepted.

Has it beed made to not to reject tokens issued by some wide spread 
implementation? Or is it a (minor) bug (or, better said, an inaccuracy)?

AL

Re: STSClient: too permissive?

Posted by Al Le <al...@gmx.de>.

On 15.08.2013 22:32, Daniel Kulp wrote:

>> Has it beed made to not to reject tokens issued by some wide spread
>> implementation? Or is it a (minor) bug (or, better said, an
>> inaccuracy)?
>
> Part of being "generic".   WS-Trust 1.0 didn't have a
> RequestSecurityTokenResponseCollection.

Ah! I forgot that 1.3 is not the one and only spec version! :-)

Re: STSClient: too permissive?

Posted by Daniel Kulp <dk...@apache.org>.

On Aug 15, 2013, at 3:55 PM, Al Le <al...@gmx.de> wrote:

> Hello.
> 
> I study the code of the STS Client, specifically the part where the
> returned token is extracted from the response. If I understand it
> correctly, the code is too permissive.
> 
> In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token
> Collection), it reads:
> 
>> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST
>> be used to return a security token
> 
> But in the code (AbstractSTSClient.java:1246, i.e. the method "createSecurityToken") both "RequestSecurityTokenResponseCollection" and "RequestSecurityTokenResponse" are accepted.
> 
> Has it beed made to not to reject tokens issued by some wide spread implementation? Or is it a (minor) bug (or, better said, an inaccuracy)?

Part of being "generic".   WS-Trust 1.0 didn't have a RequestSecurityTokenResponseCollection.  The RequestSecurityTokenResponse element is directly in the response.  Since the STSClient is designed to work for both 1.0 and 1.3, we have to support both.   THAT said, we could check which namespace is being used and adjust accordingly.



-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com