Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4.6
-
None
-
None
-
Microsoft ADFS Sever on Windows 2016
Apache Tomcat 8.5.56 on Windows 2019
AdoptOpenJRE Hotspot x64 - 11.0.7+10
Description
The relying party application deployed within Tomcat 8.5.56 container rejects a valid token issued by ADFS server. The application is sending the passive client back to ADFS, repeatedly, for a new token. ADFS issues the passive client a new token each time.
Notes on investigation:
- Tomcat 8.5.50 has a Session Fixation CVE-2019-17563 whereby Principal in never cached in session to patch vulnerability.
- Fediz 1.4.46 (November release) is using Tomcat 8.5.47 jars as dependency hence the above mentioned fix has not propagated into latest release of Fediz.
Implication for Adopters of Fediz 1.4.6:
- As our relying party application is deployed on Tomcat 8.5.56 as preference due to a number of CVE vulnerabilities patched in the release, latest Fediz release becomes unusable.
Possible Solution:
- Update Tomcat dependency of latest Fediz 1.4.6 to use Tomcat 8.5.56 (Latest Release of Tomcat June 2020).
- Change the way the Prinicpal is stored i.e. similar to the way how it is stored in Tomcat 8.5.56
- Within authenticate() in FederationAuthenticator for Tomcat8, once FedizPrincipal object is created, invoke register similarly to https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c
- Remove dependency on deprecated constant in TomcatSigninHandler method createPrincipal.
Outcome:
- Adopters using Tomcat 8.5.56 and Fediz 1.4.6 will be able to use ADFS.
Attachments
Issue Links
- duplicates
-
-
- Closed
-