Hello. I study the code of the STS Client, specifically the part where the returned token is extracted from the response. If I understand it correctly, the code is too permissive.
In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token Collection), it reads:
The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST be used to return a security token
But in the code (AbstractSTSClient.java:1246, i.e. the method "createSecurityToken") both "RequestSecurityTokenResponseCollection" and "RequestSecurityTokenResponse" are accepted.
Has it beed made to not to reject tokens issued by some wide spread implementation? Or is it a (minor) bug (or, better said, an inaccuracy)?
AL
