You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Andrei Shakirin (JIRA)" <ji...@apache.org> on 2016/04/12 21:33:25 UTC

[jira] [Closed] (CXF-6859) STSTokenValidator: logging and exception handling improvement

     [ https://issues.apache.org/jira/browse/CXF-6859?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrei Shakirin closed CXF-6859.
--------------------------------

> STSTokenValidator: logging and exception handling improvement
> -------------------------------------------------------------
>
>                 Key: CXF-6859
>                 URL: https://issues.apache.org/jira/browse/CXF-6859
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.6
>            Reporter: Andrei Shakirin
>            Assignee: Andrei Shakirin
>             Fix For: 3.2.0
>
>
> The STSTokenValidator doesn't log the reason of authentication error in case of local validation.
> The STSTokenValidator tries to validate token locally and, in case if it wasn't successful, delegate the validation to STS:
>     public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
>        
>         if (isValidatedLocally(credential, data)) {
>             return credential;
>         }
>         
>         return validateWithSTS(credential, (Message)data.getMsgContext());
>     }
> That causes a bit confusing error messages in log, if user rely on local validation only. 
> For example, if STS certificate is missing in service keystore it throws:
> WARNING: Assertion can not be validated: java.lang.NullPointerException
> 	at org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityUtils.java:170)
> 	at org.apache.cxf.ws.security.trust.STSUtils.getClientWithIssuer(STSUtils.java:106)
> 	at org.apache.cxf.ws.security.trust.STSUtils.getClient(STSUtils.java:92)
> 	at org.apache.cxf.ws.security.trust.STSTokenValidator.validateWithSTS(STSTokenValidator.java:128)
> 	at org.apache.cxf.ws.security.trust.STSTokenValidator.validate(STSTokenValidator.java:80)
> 	at org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:181)
> Then, to find a real reason of failed local validation it is necessary to debug the code.
> Suggestion: in case if alwaysValidateToSts is false (default value) log the reason of failed local validation on warning level.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)