Guanping Zhang created CXF-9232:
-----------------------------------
Summary: Implement JTI/Assertion-ID replay cache for SAML and JWT
bearer grants (Close //TODO)
Key: CXF-9232
URL: https://issues.apache.org/jira/browse/CXF-9232
Project: CXF
Issue Type: Improvement
Components: JAX-RS Security
Affects Versions: 4.2.2
Environment: Apache CXF 3.5.7 / 4.2.x, Java 11+.
Reporter: Guanping Zhang
h3. Background
Following a discussion with the Apache CXF Security Team ([email protected]),
this issue is being tracked publicly as a security hardening improvement and
technical debt resolution, aligning with the CXF Threat Model §14 (proposed
replay protection controls).
h3. Problem Description
Currently, neither the SAML-bearer nor the JWT-bearer grant handlers in Apache
CXF record the assertion identifier (or {{jti}}) in a replay cache. While the
validators correctly enforce signature and expiry ({{NotOnOrAfter}} / {{exp}}),
the absence of a single-use replay cache means that a captured, still-valid
signed assertion can be redeemed multiple times within its validity window,
with each redemption minting a fresh, independent access token.
This deviates from the one-time-use semantics expected of bearer assertions per
RFC 7521 §2.1 and RFC 7523.
h3. Root Cause & Code Locations
1. *SAML Bearer*: In {{SamlOAuthValidator.java}} (approx. line 160), there is
an explicit unimplemented TODO left in the codebase:
{code:java}
//TODO: replay cache, same as with SAML SSO case
{code}
2. *JWT Bearer*: In {{AbstractJwtHandler.validateClaims()}}, the {{jti}} claim
is never read, validated, or stored in a cache.
h3. Suggested Improvement
To provide integrators with a robust, out-of-the-box defense-in-depth mechanism
(especially for environments where assertion capture is a concern), we should
implement a single-use replay cache keyed on the assertion ID / {{jti}}.
The SAML SSO path in CXF already utilizes a {{ONE_TIME_USE}} cache mechanism.
This same caching infrastructure could be wired into the bearer grant
validation paths to close the existing {{//TODO}} and enforce single-use
semantics for both SAML and JWT bearer assertions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)