cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Upgrading to cxf 2.7.13 - SAMLTokenPrincipal no longer being registered as a SecurityContext
Date Thu, 16 Oct 2014 13:22:42 GMT
There have been some considerable changes to SAML processing based on some
security issues that will become public soon. The security context is not
populated via unsigned SAML tokens any more (even if they are received over
TLS with client authentication). If you want to support this you will have
to override the doResults method of the WSS4JInInterceptor. If you really
want to though, we could introduce a new JAX-WS property (defaulting to
false) to all this behaviour.

Colm.

On Thu, Oct 16, 2014 at 2:02 PM, Jason Pell <jason@pellcorp.com> wrote:

> All I get now is the X500Principal of the https token.
>
> My policy is below.  I am relying on the RequireClientCertificate to have
> the saml token "signed" and thus I would have expected it to be present in
> the security context.  I am at a loss as to why something like this could
> change between point releases.
>
>
>     <!-- 2.3.1.1 (WSS1.0) SAML1.1 Assertion (Bearer) -->
>     <wsp:Policy wsu:Id="TLSBearerPolicy"
>          xmlns:wsp="http://www.w3.org/ns/ws-policy"
>         xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>         xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>
>             <wsp:All>
>                 <sp:TransportBinding>
>                     <wsp:Policy>
>                         <sp:TransportToken>
>                             <wsp:Policy>
>                                 <sp:HttpsToken>
>                                     <wsp:Policy>
>                                         <sp:RequireClientCertificate/>
>                                     </wsp:Policy>
>                                 </sp:HttpsToken>
>                             </wsp:Policy>
>                         </sp:TransportToken>
>                         <sp:AlgorithmSuite>
>                             <wsp:Policy>
>                                 <sp:Basic128 />
>                             </wsp:Policy>
>                         </sp:AlgorithmSuite>
>                         <sp:Layout>
>                             <wsp:Policy>
>                                 <sp:Strict />
>                             </wsp:Policy>
>                         </sp:Layout>
>                         <sp:IncludeTimestamp />
>                     </wsp:Policy>
>                 </sp:TransportBinding>
>
>                 <sp:SignedSupportingTokens>
>                     <wsp:Policy>
>                         <sp:SamlToken sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                             <wsp:Policy>
>                                 <sp:WssSamlV11Token11/>
>                             </wsp:Policy>
>                         </sp:SamlToken>
>                     </wsp:Policy>
>                 </sp:SignedSupportingTokens>
>             </wsp:All>
>     </wsp:Policy>
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message