Andrei Shakirin created CXF-6859:
------------------------------------
Summary: STSTokenValidator: logging and exception handling
improvement
Key: CXF-6859
URL: https://issues.apache.org/jira/browse/CXF-6859
Project: CXF
Issue Type: Improvement
Components: JAX-RS Security
Affects Versions: 3.1.6
Reporter: Andrei Shakirin
Assignee: Andrei Shakirin
The STSTokenValidator doesn't log the reason of authentication error in case of
local validation.
The STSTokenValidator tries to validate token locally and, in case if it wasn't
successful, delegate the validation to STS:
public Credential validate(Credential credential, RequestData data) throws
WSSecurityException {
if (isValidatedLocally(credential, data)) {
return credential;
}
return validateWithSTS(credential, (Message)data.getMsgContext());
}
That causes a bit confusing error messages in log, if user rely on local
validation only.
For example, if STS certificate is missing in service keystore it throws:
WARNING: Assertion can not be validated: java.lang.NullPointerException
at
org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(SecurityUtils.java:170)
at
org.apache.cxf.ws.security.trust.STSUtils.getClientWithIssuer(STSUtils.java:106)
at org.apache.cxf.ws.security.trust.STSUtils.getClient(STSUtils.java:92)
at
org.apache.cxf.ws.security.trust.STSTokenValidator.validateWithSTS(STSTokenValidator.java:128)
at
org.apache.cxf.ws.security.trust.STSTokenValidator.validate(STSTokenValidator.java:80)
at
org.apache.cxf.rs.security.saml.AbstractSamlInHandler.validateToken(AbstractSamlInHandler.java:181)
Then, to find a real reason of failed local validation it is necessary to debug
the code.
Suggestion: in case if alwaysValidateToSts is false (default value) log the
reason of failed local validation on warning level.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
