[
https://issues.apache.org/jira/browse/FEDIZ-232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772178#comment-16772178
]
Colm O hEigeartaigh commented on FEDIZ-232:
-------------------------------------------
This will be fixed for the Spring + CXF plugins only. If there is demand in the
future I can look at the Tomcat / Jetty plugins.
> 'wctx' parameter mandatory but protocol does not require
> --------------------------------------------------------
>
> Key: FEDIZ-232
> URL: https://issues.apache.org/jira/browse/FEDIZ-232
> Project: CXF-Fediz
> Issue Type: Bug
> Reporter: Christian Fischer
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 1.5.0, 1.4.6
>
>
> For logins which are not initiated by a valid session on the RP side the user
> cannot be authenticated because the wctx parameter is missing or has the
> wrong value.
> There are at least two scenarios in which this causes a unwanted behaviour of
> the system.
> * First is if the IDP/login page is bookmarked and returns only later after
> the session on the RP is timed out.
> * Second is something similar to a IDP initiated login flow. It's not in the
> WS federation protocol specification but according to our tests fediz could
> easily allow that if the 'wctx' check is removed.
> In the protocol specification the 'wctx' parameter is also only optional,
> where fediz expects it to be always present. There is a comment with respect
> to CSRF prevention but our security team didn't see the case for this since
> there is no passive way of authentication is used. In fact it's the actual
> authentication request that is supposed to be protected, but we don't see the
> need.
>
> One option (if the CSRF case is valid) would be to at least disable the
> 'wctx' state validation by setting a flag.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
