axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Reinhold (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (RAMPART-387) Rampart reports SAML Token Missing In Request
Date Sun, 09 Sep 2012 11:55:07 GMT

    [ https://issues.apache.org/jira/browse/RAMPART-387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451577#comment-13451577
] 

Brian Reinhold edited comment on RAMPART-387 at 9/9/12 10:53 PM:
-----------------------------------------------------------------

I have been able to locally fix this bug by simply checking for the signed version first and
if that returns null, checking for an unsigned version. Since Rampart's default STS service
creates a signed SAML token the modification accepts the token and the transaction succeeds.

However Rampart is not using the token certificate to validate the signature but the certificate
of the STS. There is nothing wrong with that trust model but it is not the one I want and
would love to know how to change or configure it.

In any case the code to fix this bug is very simple if someone would care to do it:

    else if (token instanceof IssuedToken)
    {
        //TODO is it enough to check for ST_UNSIGNED results ?? NO!!!
        WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_SIGNED);
        if (samlResult == null)
        {
            samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
            if(samlResult == null)
            {
                throw new RampartException("samlTokenMissing");
            }
        }
    } 
                
      was (Author: gyannea):
    I have been able to locally fix this bug by simply checking for the signed version first
and if that returns null, checking for an unsigned version. Since Rampart's default STS service
creates a signed SAML token the modification accepts the token and the transaction succeeds.

However Rampart is not using the token certificate to validate the signature but the certificate
of the STS. There is nothing wrong with that trust model but it is not the one I want and
would love to know how to change or configure it.

In any case the code to fix this bug is very simple if someone would care to do it:

    else if (token instanceof IssuedToken)
    {
        //TODO is is enough to check for ST_UNSIGNED results ?? NO!!!
        WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_SIGNED);
        if (samlResult == null)
        {
            samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
            if(samlResult == null)
            {
                throw new RampartException("samlTokenMissing");
            }
        }
    } 
                  
> Rampart reports SAML Token Missing In Request
> ---------------------------------------------
>
>                 Key: RAMPART-387
>                 URL: https://issues.apache.org/jira/browse/RAMPART-387
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.6.2
>         Environment: Windows 7 64; Axis2/Rampart deployment in Tomcat
>            Reporter: Brian Reinhold
>              Labels: newbie
>             Fix For: 1.6.2
>
>
> When sending a message containing a SAML Token generated by Rampart's STS service, the
module PolicyBasedResultsValidator.handleSupportingTokens() throws a RampartException with

> message "samlTokenMissing".
> I believe the error is due to only attempting to validate an unsigned token. The token
created by the STS service is signed as it must be by WS Security requirements. 
> Starting at line 323 one sees:
>             } else if (token instanceof IssuedToken) {
>                 //TODO is is enough to check for ST_UNSIGNED results ??
>                 WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results,
WSConstants.ST_UNSIGNED);
>                 if (samlResult == null)
> 		{
> 			throw new RampartException("samlTokenMissing");
>                 }
> There needs to be a check for ST_SIGNED.
> I do not know how to build the distribution or I would try this myself.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message