cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (CXF-6432) Remove default empty password in SamlTokenInterceptor
Date Fri, 14 Oct 2016 14:31:20 GMT

     [ https://issues.apache.org/jira/browse/CXF-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed CXF-6432.
------------------------------------

> Remove default empty password in SamlTokenInterceptor 
> ------------------------------------------------------
>
>                 Key: CXF-6432
>                 URL: https://issues.apache.org/jira/browse/CXF-6432
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 2.7.16
>            Reporter: Willem Salembier
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.7.17
>
>
> Our WS client needs to generate self-signed SAML assertions. Similar to the generation
of X.509 message signatures, we like to centralize all key data in the crypto.properties file
and don't provide private key passwords using the message context or callback handlers. (In
absence of a password the Merlin Crypto implementation takes the default property org.apache.ws.security.crypto.merlin.keystore.private.password
as key password)
> This is not possible in the 2.7.x branch because the SamlTokenInterceptor puts a default
empty string password,if no password was set on the message context or inside the callbackhandler.
> {code}
> if (password == null) {
>    password = "";
> }
> {code}
> https://github.com/apache/cxf/blob/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L301
> I don't really understand the intention. Could this be removed cfr the cleanup in CXF
3.0?
> https://github.com/apache/cxf/blob/5faf182264c64bd3c0abc0addc9746b64492c864/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L277



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message