Hello All,
I am writing an STS that has an issue operation. The requirements dictate
that I need to do some custom validation on the token in the 'onBehalfOf'
element. My bean set up is:
<bean id="transportIssueDelegate"
class="org.apache.cxf.sts.operation.TokenIssueOperation">
<property name="tokenProviders" ref="transportTokenProviders" />
<property name="tokenValidators"
ref="myTransportTokenValidators" />
<property name="services" ref="gfipmTransportService" />
<property name="stsProperties" ref="transportSTSProperties" />
</bean>
<util:list id="myTransportTokenValidators">
<ref bean="myTransportSamlTokenValidator" />
</util:list>
<bean id="transportSamlTokenProvider"
class="org.my.sts.CustomSAMLTokenProvider"/>
The 'CustomSAMLTokenProvider' implements the 'TokenValidator' interface.
Most of what I am looking to do is already done by the SAMLTokenValidator
provided by CXF so I delegate most methods directly to this class.
In my 'validateToken' method, when I find an issue with the custom
validation, I have tried throwing an STS exception and setting the token to
'invalid'.
throw new STSException("Error: The SAML Token Issuer had a validation
issue.");
or
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(STATE.INVALID);
baseResponse.setToken(validateTarget);
return baseResponse;
However, the service will continue on and issue a token and only display a
warning for the exception and do nothing in the second example where the
state is set to 'INVALID'.
I followed this in the framework and it looks like 'validateReceivedToken'
in AbstractOperation will iterate through all the validators and break on an
exception and set the token state to Invalid.
However the 'issueSingle' operation in 'TokenIssueOperation' seems to ignore
the case where a token's state is invalid. This snippet of code start at
line 109:
// Validate OnBehalfOf token if present
if (providerParameters.getTokenRequirements().getOnBehalfOf() !=
null) {
ReceivedToken validateTarget =
providerParameters.getTokenRequirements().getOnBehalfOf();
TokenValidatorResponse tokenResponse = validateReceivedToken(
context, realm, tokenRequirements, validateTarget);
if (tokenResponse == null) {
LOG.fine("No Token Validator has been found that can handle
this token");
} else if (validateTarget.getState().equals(STATE.VALID)) {
processValidToken(providerParameters, validateTarget,
tokenResponse);
}
My assumption would be that the 'issueSingle' operation would react to an
invalid token by throwing an exception.
Should another else if block like this be added:
else if (validateTarget.getState().equals(STATE.INVALID)) {
throw new STSException("Inavlid onBehalfOf Token", ex,
STSException.REQUEST_FAILED);
}
Is this a bug in the framework or is there another way to indicate that
since the onBehalfOf token has errors, that a error response should be
returned to the client.
Thanks again for all the STS help!
Yogesh
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-STS-Validating-onBehalfOf-tokens-in-Issue-Operation-tp5719696.html
Sent from the cxf-user mailing list archive at Nabble.com.
