Guanping Zhang created CXF-9232:
-----------------------------------

             Summary: Implement JTI/Assertion-ID replay cache for SAML and JWT 
bearer grants (Close //TODO)
                 Key: CXF-9232
                 URL: https://issues.apache.org/jira/browse/CXF-9232
             Project: CXF
          Issue Type: Improvement
          Components: JAX-RS Security
    Affects Versions: 4.2.2
         Environment: Apache CXF 3.5.7 / 4.2.x, Java 11+.
            Reporter: Guanping Zhang


h3. Background
Following a discussion with the Apache CXF Security Team ([email protected]), 
this issue is being tracked publicly as a security hardening improvement and 
technical debt resolution, aligning with the CXF Threat Model §14 (proposed 
replay protection controls).

h3. Problem Description
Currently, neither the SAML-bearer nor the JWT-bearer grant handlers in Apache 
CXF record the assertion identifier (or {{jti}}) in a replay cache. While the 
validators correctly enforce signature and expiry ({{NotOnOrAfter}} / {{exp}}), 
the absence of a single-use replay cache means that a captured, still-valid 
signed assertion can be redeemed multiple times within its validity window, 
with each redemption minting a fresh, independent access token. 

This deviates from the one-time-use semantics expected of bearer assertions per 
RFC 7521 §2.1 and RFC 7523.

h3. Root Cause & Code Locations
1. *SAML Bearer*: In {{SamlOAuthValidator.java}} (approx. line 160), there is 
an explicit unimplemented TODO left in the codebase:
{code:java}
//TODO: replay cache, same as with SAML SSO case
{code}

2. *JWT Bearer*: In {{AbstractJwtHandler.validateClaims()}}, the {{jti}} claim 
is never read, validated, or stored in a cache.

h3. Suggested Improvement
To provide integrators with a robust, out-of-the-box defense-in-depth mechanism 
(especially for environments where assertion capture is a concern), we should 
implement a single-use replay cache keyed on the assertion ID / {{jti}}. 

The SAML SSO path in CXF already utilizes a {{ONE_TIME_USE}} cache mechanism. 
This same caching infrastructure could be wired into the bearer grant 
validation paths to close the existing {{//TODO}} and enforce single-use 
semantics for both SAML and JWT bearer assertions.




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to