You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Manuraj Singh (Jira)" <ji...@apache.org> on 2020/06/18 11:23:00 UTC
[jira] [Created] (FEDIZ-249) Relying party rejects a valid security
token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56
Manuraj Singh created FEDIZ-249:
-----------------------------------
Summary: Relying party rejects a valid security token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56
Key: FEDIZ-249
URL: https://issues.apache.org/jira/browse/FEDIZ-249
Project: CXF-Fediz
Issue Type: Bug
Components: Plugin
Affects Versions: 1.4.6
Environment: Microsoft ADFS Sever on Windows 2016
Apache Tomcat 8.5.56 on Windows 2019
AdoptOpenJRE Hotspot x64 - 11.0.7+10
Reporter: Manuraj Singh
The relying party application deployed within Tomcat 8.5.56 container rejects a valid token issued by ADFS server. The application is sending the passive client back to ADFS, repeatedly, for a new token. ADFS issues the passive client a new token each time.
Notes on investigation:
* Tomcat 8.5.50 has a Session Fixation CVE-2019-17563 whereby Principal in never cached in session to patch vulnerability.
* Fediz 1.4.46 (November release) is using Tomcat 8.5.47 jars as dependency hence the above mentioned fix has not propagated into latest release of Fediz.
Implication for Adopters of Fediz 1.4.6:
* As our replying party application is deployed on Tomcat 8.5.56 as preference due to a number of CVE vulnerabilities patched in the release, latest Fediz release becomes unusable.
Possible Solution:
* Update Tomcat dependency of latest Fediz 1.4.6 to use Tomcat 8.5.56 (Latest Release of Tomcat June 2020).
* Change the way the Prinicpal is stored i.e. similar to the way how it is stored in Tomcat 8.5.56
** Within authenticate() in FederationAuthenticator for Tomcat8, once FedizPrincipal object is created, invoke register similarly to https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
* Remove dependency on deprecated constant in TomcatSigninHandler method createPrincipal.
Outcome:
* Adopters using Tomcat 8.5.56 and Fediz 1.4.6 will be able to use ADFS.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)