Ethan Wallwork created CXF-5279:
-----------------------------------
Summary: STSClient may not be caching tokens long enough when
renewal after expiry is allowed
Key: CXF-5279
URL: https://issues.apache.org/jira/browse/CXF-5279
Project: CXF
Issue Type: Bug
Components: STS
Affects Versions: 2.7.6
Reporter: Ethan Wallwork
It seems that the STSClient caches tokens only for the duration where they were
valid which prevents renewals after expiry.
In cases where renewal after expiry is allowed it is possible to renew a token
after this time. The EHCacheTokenStore calculates the TTL based on the
Lifetime reported in the STS response, which in turn is calculated from the
conditions on the SAML assertion. The token will expire from the cache when
the time is up, and this the STSClient can't use it to issue a renew request
even if the STS allows renewals after expiry.
Testing this was a bit tricky because it is based on caching and timeouts but
I'm reasonably sure this is what's going on.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
