Manuraj Singh created FEDIZ-249:
-----------------------------------
Summary: Relying party rejects a valid security token and
redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56
Key: FEDIZ-249
URL: https://issues.apache.org/jira/browse/FEDIZ-249
Project: CXF-Fediz
Issue Type: Bug
Components: Plugin
Affects Versions: 1.4.6
Environment: Microsoft ADFS Sever on Windows 2016
Apache Tomcat 8.5.56 on Windows 2019
AdoptOpenJRE Hotspot x64 - 11.0.7+10
Reporter: Manuraj Singh
The relying party application deployed within Tomcat 8.5.56 container rejects a
valid token issued by ADFS server. The application is sending the passive
client back to ADFS, repeatedly, for a new token. ADFS issues the passive
client a new token each time.
Notes on investigation:
* Tomcat 8.5.50 has a Session Fixation CVE-2019-17563 whereby Principal in
never cached in session to patch vulnerability.
* Fediz 1.4.46 (November release) is using Tomcat 8.5.47 jars as dependency
hence the above mentioned fix has not propagated into latest release of Fediz.
Implication for Adopters of Fediz 1.4.6:
* As our replying party application is deployed on Tomcat 8.5.56 as preference
due to a number of CVE vulnerabilities patched in the release, latest Fediz
release becomes unusable.
Possible Solution:
* Update Tomcat dependency of latest Fediz 1.4.6 to use Tomcat 8.5.56 (Latest
Release of Tomcat June 2020).
* Change the way the Prinicpal is stored i.e. similar to the way how it is
stored in Tomcat 8.5.56
** Within authenticate() in FederationAuthenticator for Tomcat8, once
FedizPrincipal object is created, invoke register similarly to
https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
* Remove dependency on deprecated constant in TomcatSigninHandler method
createPrincipal.
Outcome:
* Adopters using Tomcat 8.5.56 and Fediz 1.4.6 will be able to use ADFS.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
