You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Andreas Vallen (JIRA)" <ji...@apache.org> on 2015/09/24 01:01:04 UTC

[jira] [Created] (CXF-6607) Cached STS-issued tokens are not renewed on expiry in delegation scenario

Andreas Vallen created CXF-6607:
-----------------------------------

             Summary: Cached STS-issued tokens are not renewed on expiry in delegation scenario
                 Key: CXF-6607
                 URL: https://issues.apache.org/jira/browse/CXF-6607
             Project: CXF
          Issue Type: Bug
          Components: STS
            Reporter: Andreas Vallen


Setting ws-security.cache.issued.token.in.endpoint" to "false" is the recommended setting for a delegation scenario, where a webapp acts as an intermediary that requests tokens for a webserivce on behalf of a WS-Federation SAML token.

When this setting is effective however, we observe that tokens that have been issued for use by the intermediary are not renewed on expiry.

The following code in {{IssuedTokenInterceptorProvider}} may be the starting point of this misbehaviour:

{code}
                    SecurityToken tok = retrieveCachedToken(message);
                    if (tok == null) {
                        tok = issueToken(message, aim, itok);
                    } else {
                        tok = renewToken(message, aim, itok, tok);
                    }
{code}

With the above property set to false the issued token is cached in a different way than expected by {{retrieveCachedToken}}, leading to the bypass of the token renewal.

Instead the token is cached indirectly via the actAs or onBehalfOf token where it is retrieved from by the #handleDelegation method of the same Interceptor.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)