You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/09/24 16:05:05 UTC
[jira] [Resolved] (CXF-6607) Cached STS-issued tokens are not
renewed on expiry in delegation scenario
[ https://issues.apache.org/jira/browse/CXF-6607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-6607.
--------------------------------------
Resolution: Fixed
> Cached STS-issued tokens are not renewed on expiry in delegation scenario
> -------------------------------------------------------------------------
>
> Key: CXF-6607
> URL: https://issues.apache.org/jira/browse/CXF-6607
> Project: CXF
> Issue Type: Bug
> Components: STS
> Affects Versions: 3.0.6, 3.1.3
> Reporter: Andreas Vallen
> Assignee: Colm O hEigeartaigh
> Fix For: 3.0.7, 3.1.4
>
>
> Setting ws-security.cache.issued.token.in.endpoint" to "false" is the recommended setting for a delegation scenario, where a webapp acts as an intermediary that requests tokens for a webserivce on behalf of a WS-Federation SAML token.
> When this setting is effective however, we observe that tokens that have been issued for use by the intermediary are not renewed on expiry.
> The following code in {{IssuedTokenInterceptorProvider}} may be the starting point of this misbehaviour:
> {code}
> SecurityToken tok = retrieveCachedToken(message);
> if (tok == null) {
> tok = issueToken(message, aim, itok);
> } else {
> tok = renewToken(message, aim, itok, tok);
> }
> {code}
> With the above property set to false the issued token is cached in a different way than expected by {{retrieveCachedToken}}, leading to the bypass of the token renewal.
> Instead the token is cached indirectly via the actAs or onBehalfOf token where it is retrieved from by the #handleDelegation method of the same Interceptor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)