[
https://issues.apache.org/jira/browse/CXF-5692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13983049#comment-13983049
]
Colm O hEigeartaigh commented on CXF-5692:
------------------------------------------
It's extracted when a token is received as part of SAML SSO in CXF:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java?view=markup
Then this is used as the expiry mechanism for the cookie. When a SAML token is
received as part of a web service request (i.e. in a security header) it's not
validated.
Colm.
> CXF doesn't verify SessionNotOnOrAfter of AuthenticationStatement
> -----------------------------------------------------------------
>
> Key: CXF-5692
> URL: https://issues.apache.org/jira/browse/CXF-5692
> Project: CXF
> Issue Type: Bug
> Components: JAX-WS Runtime
> Affects Versions: 2.7.10
> Reporter: Tony Clarke
> Assignee: Colm O hEigeartaigh
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
