Re: CXF STS - Validating 'onBehalfOf' tokens in Issue Operation

[ychawla]

Hello All,
There are two ways to work around this.  I already have a custom SAML token
provider so I can do something like this in the 'createToken' method:

        ReceivedToken recievedToken =
tokenParameters.getTokenRequirements().getOnBehalfOf();
                
        if (recievedToken == null || recievedToken.getToken() == null) 
        {
            log.error("The recieved token is null or invalid");
            throw new STSException(
                "The recieved token is null or invalid",
STSException.INVALID_REQUEST
            );
        }

        if (recievedToken.getState() != STATE.VALID)
        {
            throw new STSException("The recieved token is invalid",
STSException.INVALID_REQUEST);
        }

If you don't have a custom SAML token provider, you can subclass the
TokenIssueOperation class like this:

public class MyTokenIssueOperation extends TokenIssueOperation{
        
        static final Logger LOG =
LogUtils.getL7dLogger(MyTokenIssueOperation.class);
        
        @Override
    public RequestSecurityTokenResponseType issueSingle(
            RequestSecurityTokenType request,
            WebServiceContext context
    ) {
        RequestParser requestParser = parseRequest(request, context);

        TokenProviderParameters providerParameters =
createTokenProviderParameters(requestParser, context);
        
        String realm = providerParameters.getRealm();

        TokenRequirements tokenRequirements =
requestParser.getTokenRequirements();

        // Validate OnBehalfOf token if present
        if (providerParameters.getTokenRequirements().getOnBehalfOf() !=
null) {
            ReceivedToken validateTarget =
providerParameters.getTokenRequirements().getOnBehalfOf();
            TokenValidatorResponse tokenResponse = validateReceivedToken(
                    context, realm, tokenRequirements, validateTarget);

            if (tokenResponse == null) {
                LOG.fine("No Token Validator has been found that can handle
this token");

            }  
            
*            if (validateTarget.getState().equals(STATE.INVALID)) {
                throw new STSException("Incoming token is invalid",
STSException.REQUEST_FAILED);
            }*
        }    
        
        return super.issueSingle(request, context);

    }
        
}       

The downside of subclassing is that you actually hit your validator twice. 
Once in your subclass and another time when you call the super class.

I think this might be a bug here and the 'TokenIssueOperation' class might
need a minor patch to handle STATE.INVALID.

Thanks,
Yogesh




--
View this message in context: 
http://cxf.547215.n5.nabble.com/CXF-STS-Validating-onBehalfOf-tokens-in-Issue-Operation-tp5719696p5719784.html
Sent from the cxf-user mailing list archive at Nabble.com.