You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Andreas Vallen (JIRA)" <ji...@apache.org> on 2015/09/24 01:01:04 UTC
[jira] [Created] (CXF-6607) Cached STS-issued tokens are not
renewed on expiry in delegation scenario
Andreas Vallen created CXF-6607:
-----------------------------------
Summary: Cached STS-issued tokens are not renewed on expiry in delegation scenario
Key: CXF-6607
URL: https://issues.apache.org/jira/browse/CXF-6607
Project: CXF
Issue Type: Bug
Components: STS
Reporter: Andreas Vallen
Setting ws-security.cache.issued.token.in.endpoint" to "false" is the recommended setting for a delegation scenario, where a webapp acts as an intermediary that requests tokens for a webserivce on behalf of a WS-Federation SAML token.
When this setting is effective however, we observe that tokens that have been issued for use by the intermediary are not renewed on expiry.
The following code in {{IssuedTokenInterceptorProvider}} may be the starting point of this misbehaviour:
{code}
SecurityToken tok = retrieveCachedToken(message);
if (tok == null) {
tok = issueToken(message, aim, itok);
} else {
tok = renewToken(message, aim, itok, tok);
}
{code}
With the above property set to false the issued token is cached in a different way than expected by {{retrieveCachedToken}}, leading to the bypass of the token renewal.
Instead the token is cached indirectly via the actAs or onBehalfOf token where it is retrieved from by the #handleDelegation method of the same Interceptor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)