cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Commented] (CXF-7088) SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted
Date Fri, 14 Oct 2016 14:37:20 GMT


Colm O hEigeartaigh commented on CXF-7088:

It looks like this is a bug in CXF. From the spec for EncryptedParts:

The EncryptedParts assertion is used to specify the parts of the message that require confidentiality.
assertion can be satisfied with WSS: SOAP Message Security mechanisms or by mechanisms out
scope of SOAP message security, for example by sending the message over a secure transport
like HTTPS.

This is the logic CXF follows. However, for the tokens it appears like the tokens themselves
should be encrypted instead.

> SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted
> ----------------------------------------------------------------------------------
>                 Key: CXF-7088
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.0.6
>            Reporter: Grzegorz Maczuga
>            Assignee: Colm O hEigeartaigh
>         Attachments: messageNoEncryption.txt, message_anonymous.txt, policy.txt
> In WS-Policy that is used by service we have defined 
> <SignedEncryptedSupportingTokens/>
> Some people say that WS-SecurityPolicy 1.2 imply that also SAML assertion that is inside
WS-Security section of the message SOAP Header should be encrypted (not only signed).
> Message with SAML that is NOT encrypted is currently accepted by CXF even while policy
defines <SignedEncryptedSupportingTokens/>
> Question is: does SAML assertion fall into "SupportingTokens" category and should be
encrypted as well?
> What is your view on that? Is that a bug in Neethi?
> See
> Signed, encrypted supporting tokens are Signed supporting tokens (See section 8.2) that
are also encrypted when they appear in the wsse:SecurityHeader. Element Encryption SHOULD
be used for encrypting the supporting tokens.
> The syntax for the sp:SignedEncryptedSupportingTokens differs from the syntax of sp:SignedSupportingTokens
only in the name of the assertion itself. All nested policy is as per the sp:SignedSupportingTokens

This message was sent by Atlassian JIRA

View raw message