cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5424) JAX-RS Security Code can not validate signed SAML2 bearer assertions without KeyInfo
Date Mon, 23 Dec 2013 17:03:51 GMT

    [ https://issues.apache.org/jira/browse/CXF-5424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13855765#comment-13855765
] 

Sergey Beryozkin commented on CXF-5424:
---------------------------------------

The XML Signature specification mentions that KeyInfo is an optional element and the application
is expected to load it out of band if it is missing. IMHO it is safe to provide a basic out-of-band
mechanism, for example, use a default crypto alias to load a certificate which can be used
to validate a signature, a minor positive is that the processing should be faster too.  

In case of non-SAML2 payloads, for example, when we have the XML signature added only, we
can try use the authenticated user as the alias or the default crypto alias to load a certificate.

In case of RACS we can only try a default crypto alias; we cam also extend that if needed
to use the subject names as aliases however I'm not sure it is practical yet, in this case
it is really an IDP certificate that we need. I guess this implies RACS will need its own
signature crypto - which seems reasonable. 

> JAX-RS Security Code can not validate signed SAML2 bearer assertions without KeyInfo
> ------------------------------------------------------------------------------------
>
>                 Key: CXF-5424
>                 URL: https://issues.apache.org/jira/browse/CXF-5424
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>            Reporter: Sergey Beryozkin
>
> Signed SAML2 Bearer assertions may not always have XML Signature KeyInfo elements available.
The JAX-RS security code fails to validate such assertions but it should be able to *optionally*
validate them without KeyInfo 



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message