Andreas Vallen created CXF-6607:
-----------------------------------
Summary: Cached STS-issued tokens are not renewed on expiry in
delegation scenario
Key: CXF-6607
URL: https://issues.apache.org/jira/browse/CXF-6607
Project: CXF
Issue Type: Bug
Components: STS
Reporter: Andreas Vallen
Setting ws-security.cache.issued.token.in.endpoint" to "false" is the
recommended setting for a delegation scenario, where a webapp acts as an
intermediary that requests tokens for a webserivce on behalf of a WS-Federation
SAML token.
When this setting is effective however, we observe that tokens that have been
issued for use by the intermediary are not renewed on expiry.
The following code in {{IssuedTokenInterceptorProvider}} may be the starting
point of this misbehaviour:
{code}
SecurityToken tok = retrieveCachedToken(message);
if (tok == null) {
tok = issueToken(message, aim, itok);
} else {
tok = renewToken(message, aim, itok, tok);
}
{code}
With the above property set to false the issued token is cached in a different
way than expected by {{retrieveCachedToken}}, leading to the bypass of the
token renewal.
Instead the token is cached indirectly via the actAs or onBehalfOf token where
it is retrieved from by the #handleDelegation method of the same Interceptor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
