On Aug 15, 2013, at 3:55 PM, Al Le <[email protected]> wrote: > Hello. > > I study the code of the STS Client, specifically the part where the > returned token is extracted from the response. If I understand it > correctly, the code is too permissive. > > In the WS-Trust 1.3 spec, section 4.3 (Returning a Security Token > Collection), it reads: > >> The <wst:RequestSecurityTokenResponseCollection> element (RSTRC) MUST >> be used to return a security token > > But in the code (AbstractSTSClient.java:1246, i.e. the method > "createSecurityToken") both "RequestSecurityTokenResponseCollection" and > "RequestSecurityTokenResponse" are accepted. > > Has it beed made to not to reject tokens issued by some wide spread > implementation? Or is it a (minor) bug (or, better said, an inaccuracy)?
Part of being "generic". WS-Trust 1.0 didn't have a RequestSecurityTokenResponseCollection. The RequestSecurityTokenResponse element is directly in the response. Since the STSClient is designed to work for both 1.0 and 1.3, we have to support both. THAT said, we could check which namespace is being used and adjust accordingly. -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
