[jira] [Resolved] (FEDIZ-249) Relying party rejects a valid security token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56

Thu, 18 Jun 2020 04:32:05 -0700 


     [ 
https://issues.apache.org/jira/browse/FEDIZ-249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved FEDIZ-249.
---------------------------------------
    Resolution: Fixed

> Relying party rejects a valid security token and redirects back to ADFS when 
> using Fediz 1.4.6 with Tomcat 8.5.56
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: FEDIZ-249
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-249
>             Project: CXF-Fediz
>          Issue Type: Bug
>          Components: Plugin
>    Affects Versions: 1.4.6
>         Environment: Microsoft ADFS Sever on Windows 2016
> Apache Tomcat 8.5.56 on Windows 2019
> AdoptOpenJRE Hotspot x64 - 11.0.7+10
>            Reporter: Manuraj Singh
>            Priority: Major
>
> The relying party application deployed within Tomcat 8.5.56 container rejects 
> a valid token issued by ADFS server. The  application is sending the passive 
> client back to ADFS, repeatedly, for a new token. ADFS issues the passive 
> client a new token each time.
> Notes on investigation:
>  * Tomcat 8.5.50 has a Session Fixation CVE-2019-17563 whereby Principal in 
> never cached in session to patch vulnerability.
>  * Fediz 1.4.46 (November release) is using Tomcat 8.5.47 jars as dependency 
> hence the above mentioned fix has not propagated into latest release of Fediz.
> Implication for Adopters of Fediz 1.4.6:
>  * As our replying party application is deployed on Tomcat 8.5.56 as 
> preference due to a number of CVE vulnerabilities patched in the release, 
> latest Fediz release becomes unusable.
> Possible Solution:
>  * Update Tomcat dependency of latest Fediz 1.4.6 to use Tomcat 8.5.56 
> (Latest Release of Tomcat June 2020).
>  * Change the way the Prinicpal is stored i.e. similar to the way how it is 
> stored in Tomcat 8.5.56
>  ** Within authenticate() in FederationAuthenticator for Tomcat8, once 
> FedizPrincipal object is created, invoke register similarly to 
> https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
>  * Remove dependency on deprecated constant in TomcatSigninHandler method 
> createPrincipal.
> Outcome:
>  * Adopters using Tomcat 8.5.56 and Fediz 1.4.6 will be able to use ADFS.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to