[ https://issues.apache.org/jira/browse/FEDIZ-232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772178#comment-16772178 ]
Colm O hEigeartaigh commented on FEDIZ-232: ------------------------------------------- This will be fixed for the Spring + CXF plugins only. If there is demand in the future I can look at the Tomcat / Jetty plugins. > 'wctx' parameter mandatory but protocol does not require > -------------------------------------------------------- > > Key: FEDIZ-232 > URL: https://issues.apache.org/jira/browse/FEDIZ-232 > Project: CXF-Fediz > Issue Type: Bug > Reporter: Christian Fischer > Assignee: Colm O hEigeartaigh > Priority: Major > Fix For: 1.5.0, 1.4.6 > > > For logins which are not initiated by a valid session on the RP side the user > cannot be authenticated because the wctx parameter is missing or has the > wrong value. > There are at least two scenarios in which this causes a unwanted behaviour of > the system. > * First is if the IDP/login page is bookmarked and returns only later after > the session on the RP is timed out. > * Second is something similar to a IDP initiated login flow. It's not in the > WS federation protocol specification but according to our tests fediz could > easily allow that if the 'wctx' check is removed. > In the protocol specification the 'wctx' parameter is also only optional, > where fediz expects it to be always present. There is a comment with respect > to CSRF prevention but our security team didn't see the case for this since > there is no passive way of authentication is used. In fact it's the actual > authentication request that is supposed to be protected, but we don't see the > need. > > One option (if the CSRF case is valid) would be to at least disable the > 'wctx' state validation by setting a flag. -- This message was sent by Atlassian JIRA (v7.6.3#76005)