Wednesday, February 17, 2016

Apache CXF Fediz 1.2.2 released

Apache CXF Fediz 1.2.2 has been released. The issues fixed can be seen here. Highlights include:
  • The core Apache CXF dependency is updated to the recent 3.0.8 release.
  • A new HomeRealm Discovery Service based on Spring EL is available in the IdP.
  • Support for configurable token expiration validation in the plugins has been added.
  • Various fixes for the websphere container plugin have been added.
A new feature in 1.2.2 is the ability to specify a constraint in the IdP on the acceptable 'wreply' value for a given service. When the IdP successfully authenticates the end user, it will issue the WS-Federation response to the value specified in the initial request in the 'wreply' parameter. However, this could be exploited by a malicious third party to redirect the end user to a custom address, where the issued token could be retrieved. In 1.2.2, there is a new property associated with the Application in the IdP called 'passiveRequestorEndpointConstraint'. This is a regular expression on the acceptable value for the 'wreply' endpoint associated with this Application. If this property is not specified, a warning is logged in the IdP. For example:

No comments:

Post a Comment