This does sound like a bug to me as well. Feel free to log a JIRA and attach a patch!
Dan On Dec 4, 2012, at 10:22 PM, ychawla <[email protected]> wrote: > Hello All, > I am writing an STS that has an issue operation. The requirements dictate > that I need to do some custom validation on the token in the 'onBehalfOf' > element. My bean set up is: > > <bean id="transportIssueDelegate" > class="org.apache.cxf.sts.operation.TokenIssueOperation"> > <property name="tokenProviders" ref="transportTokenProviders" /> > <property name="tokenValidators" > ref="myTransportTokenValidators" /> > <property name="services" ref="gfipmTransportService" /> > <property name="stsProperties" ref="transportSTSProperties" /> > </bean> > > <util:list id="myTransportTokenValidators"> > <ref bean="myTransportSamlTokenValidator" /> > </util:list> > > <bean id="transportSamlTokenProvider" > class="org.my.sts.CustomSAMLTokenProvider"/> > > The 'CustomSAMLTokenProvider' implements the 'TokenValidator' interface. > Most of what I am looking to do is already done by the SAMLTokenValidator > provided by CXF so I delegate most methods directly to this class. > > In my 'validateToken' method, when I find an issue with the custom > validation, I have tried throwing an STS exception and setting the token to > 'invalid'. > > throw new STSException("Error: The SAML Token Issuer had a validation > issue."); > > or > > ReceivedToken validateTarget = tokenParameters.getToken(); > validateTarget.setState(STATE.INVALID); > baseResponse.setToken(validateTarget); > return baseResponse; > > However, the service will continue on and issue a token and only display a > warning for the exception and do nothing in the second example where the > state is set to 'INVALID'. > > I followed this in the framework and it looks like 'validateReceivedToken' > in AbstractOperation will iterate through all the validators and break on an > exception and set the token state to Invalid. > > However the 'issueSingle' operation in 'TokenIssueOperation' seems to ignore > the case where a token's state is invalid. This snippet of code start at > line 109: > > // Validate OnBehalfOf token if present > if (providerParameters.getTokenRequirements().getOnBehalfOf() != > null) { > ReceivedToken validateTarget = > providerParameters.getTokenRequirements().getOnBehalfOf(); > TokenValidatorResponse tokenResponse = validateReceivedToken( > context, realm, tokenRequirements, validateTarget); > > if (tokenResponse == null) { > LOG.fine("No Token Validator has been found that can handle > this token"); > > } else if (validateTarget.getState().equals(STATE.VALID)) { > processValidToken(providerParameters, validateTarget, > tokenResponse); > } > > My assumption would be that the 'issueSingle' operation would react to an > invalid token by throwing an exception. > > Should another else if block like this be added: > > else if (validateTarget.getState().equals(STATE.INVALID)) { > throw new STSException("Inavlid onBehalfOf Token", ex, > STSException.REQUEST_FAILED); > } > > Is this a bug in the framework or is there another way to indicate that > since the onBehalfOf token has errors, that a error response should be > returned to the client. > > Thanks again for all the STS help! > > Yogesh > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-STS-Validating-onBehalfOf-tokens-in-Issue-Operation-tp5719696.html > Sent from the cxf-user mailing list archive at Nabble.com. -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
