Validating the token
Before the received SAML token can be renewed, a number of validation steps (that are specific to renewing SAML tokens) takes place. Two boolean properties are retrieved from the properties of the cached token:
- org.apache.cxf.sts.token.renewing.allow - Whether the token is allowed to be renewed or not.
- org.apache.cxf.sts.token.renewing.allow.after.expiry - Whether the token is allowed to be renewed or not after it has expired.
These two properties are set in the SAMLTokenProvider based on a received <wst:Renewing/> element when the user is requesting a SAML token via the issue binding. If a user omits a <wst:Renewing/> element, or sends <wst:Renewing/> or <wst:Renewing Allow="true"/>, then the token is allowed to be renewed. However, only if the user sends <wst:Renewing OK="true"/>, will the token be allowed to be renewed after expiry. This explains why a TokenStore is required for token renewal, as without access to these two properties it is impossible for the SAMLTokenRenewer to figure out whether the issuer of the token intended for the token to be renewed (after expiry) or not.
If the state of the token is expired, and if the token is allowed to be renewed after expiry, a final check is done against the boolean set via the setAllowRenewalAfterExpiry method of TokenRenewer. If this is set to false (the default), then an exception is thrown. So to support token renewal after expiry, you must explicitly define this behavior on the TokenRenewer implementation. Finally, a check is done on how long ago the SAML Token expired. If it is greater than the value configured in the maxExpiry property (30 minutes by default), then an exception is thrown.
The next validation step is to check proof of possession, if this is enabled (true by default). The Subject KeyInfo of the Assertion must contain a PublicKey or X509Certificate that corresponds to either the client certificate if TLS is used, or to the private key that was used to sign some part of the request. Finally, if an AppliesTo URI is sent as part of the request, the SAMLTokenRenewer checks that the received Assertion contains at least one AudienceRestrictionURI that matches that address, otherwise it throws an Exception.