[ 
https://issues.apache.org/jira/browse/CXF-6607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed CXF-6607.
------------------------------------

> Cached STS-issued tokens are not renewed on expiry in delegation scenario
> -------------------------------------------------------------------------
>
>                 Key: CXF-6607
>                 URL: https://issues.apache.org/jira/browse/CXF-6607
>             Project: CXF
>          Issue Type: Bug
>          Components: STS
>    Affects Versions: 3.0.6, 3.1.3
>            Reporter: Andreas Vallen
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.0.7, 3.1.4
>
>
> Setting ws-security.cache.issued.token.in.endpoint" to "false" is the 
> recommended setting for a delegation scenario, where a webapp acts as an 
> intermediary that requests tokens for a webserivce on behalf of a 
> WS-Federation SAML token.
> When this setting is effective however, we observe that tokens that have been 
> issued for use by the intermediary are not renewed on expiry.
> The following code in {{IssuedTokenInterceptorProvider}} may be the starting 
> point of this misbehaviour:
> {code}
>                     SecurityToken tok = retrieveCachedToken(message);
>                     if (tok == null) {
>                         tok = issueToken(message, aim, itok);
>                     } else {
>                         tok = renewToken(message, aim, itok, tok);
>                     }
> {code}
> With the above property set to false the issued token is cached in a 
> different way than expected by {{retrieveCachedToken}}, leading to the bypass 
> of the token renewal.
> Instead the token is cached indirectly via the actAs or onBehalfOf token 
> where it is retrieved from by the #handleDelegation method of the same 
> Interceptor.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to