You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Manuraj Singh (Jira)" <ji...@apache.org> on 2020/06/18 11:23:00 UTC

[jira] [Created] (FEDIZ-249) Relying party rejects a valid security token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56

Manuraj Singh created FEDIZ-249:
-----------------------------------

             Summary: Relying party rejects a valid security token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56
                 Key: FEDIZ-249
                 URL: https://issues.apache.org/jira/browse/FEDIZ-249
             Project: CXF-Fediz
          Issue Type: Bug
          Components: Plugin
    Affects Versions: 1.4.6
         Environment: Microsoft ADFS Sever on Windows 2016

Apache Tomcat 8.5.56 on Windows 2019

AdoptOpenJRE Hotspot x64 - 11.0.7+10
            Reporter: Manuraj Singh


The relying party application deployed within Tomcat 8.5.56 container rejects a valid token issued by ADFS server. The  application is sending the passive client back to ADFS, repeatedly, for a new token. ADFS issues the passive client a new token each time.

Notes on investigation:
 * Tomcat 8.5.50 has a Session Fixation CVE-2019-17563 whereby Principal in never cached in session to patch vulnerability.
 * Fediz 1.4.46 (November release) is using Tomcat 8.5.47 jars as dependency hence the above mentioned fix has not propagated into latest release of Fediz.

Implication for Adopters of Fediz 1.4.6:
 * As our replying party application is deployed on Tomcat 8.5.56 as preference due to a number of CVE vulnerabilities patched in the release, latest Fediz release becomes unusable.

Possible Solution:
 * Update Tomcat dependency of latest Fediz 1.4.6 to use Tomcat 8.5.56 (Latest Release of Tomcat June 2020).
 * Change the way the Prinicpal is stored i.e. similar to the way how it is stored in Tomcat 8.5.56
 ** Within authenticate() in FederationAuthenticator for Tomcat8, once FedizPrincipal object is created, invoke register similarly to https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
 * Remove dependency on deprecated constant in TomcatSigninHandler method createPrincipal.

Outcome:
 * Adopters using Tomcat 8.5.56 and Fediz 1.4.6 will be able to use ADFS.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)