cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Pell <ja...@pellcorp.com>
Subject Re: Upgrading to cxf 2.7.13 - SAMLTokenPrincipal no longer being registered as a SecurityContext
Date Thu, 16 Oct 2014 13:56:16 GMT
I would be interested to understand why it is a security issue when the
client TLS establishes the trust relationship.

I had just finished adding basic saml support to our product and now with
the upgrade I am back to square one.

>From the docs I have read using TLS with client auth instead of signed is a
good alternative and performs better.
On 17/10/2014 12:22 AM, "Colm O hEigeartaigh" <coheigea@apache.org> wrote:

> There have been some considerable changes to SAML processing based on some
> security issues that will become public soon. The security context is not
> populated via unsigned SAML tokens any more (even if they are received over
> TLS with client authentication). If you want to support this you will have
> to override the doResults method of the WSS4JInInterceptor. If you really
> want to though, we could introduce a new JAX-WS property (defaulting to
> false) to all this behaviour.
>
> Colm.
>
> On Thu, Oct 16, 2014 at 2:02 PM, Jason Pell <jason@pellcorp.com> wrote:
>
> > All I get now is the X500Principal of the https token.
> >
> > My policy is below.  I am relying on the RequireClientCertificate to have
> > the saml token "signed" and thus I would have expected it to be present
> in
> > the security context.  I am at a loss as to why something like this could
> > change between point releases.
> >
> >
> >     <!-- 2.3.1.1 (WSS1.0) SAML1.1 Assertion (Bearer) -->
> >     <wsp:Policy wsu:Id="TLSBearerPolicy"
> >          xmlns:wsp="http://www.w3.org/ns/ws-policy"
> >         xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> >         xmlns:sp="
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> >
> >             <wsp:All>
> >                 <sp:TransportBinding>
> >                     <wsp:Policy>
> >                         <sp:TransportToken>
> >                             <wsp:Policy>
> >                                 <sp:HttpsToken>
> >                                     <wsp:Policy>
> >                                         <sp:RequireClientCertificate/>
> >                                     </wsp:Policy>
> >                                 </sp:HttpsToken>
> >                             </wsp:Policy>
> >                         </sp:TransportToken>
> >                         <sp:AlgorithmSuite>
> >                             <wsp:Policy>
> >                                 <sp:Basic128 />
> >                             </wsp:Policy>
> >                         </sp:AlgorithmSuite>
> >                         <sp:Layout>
> >                             <wsp:Policy>
> >                                 <sp:Strict />
> >                             </wsp:Policy>
> >                         </sp:Layout>
> >                         <sp:IncludeTimestamp />
> >                     </wsp:Policy>
> >                 </sp:TransportBinding>
> >
> >                 <sp:SignedSupportingTokens>
> >                     <wsp:Policy>
> >                         <sp:SamlToken sp:IncludeToken="
> >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> >                             <wsp:Policy>
> >                                 <sp:WssSamlV11Token11/>
> >                             </wsp:Policy>
> >                         </sp:SamlToken>
> >                     </wsp:Policy>
> >                 </sp:SignedSupportingTokens>
> >             </wsp:All>
> >     </wsp:Policy>
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message