ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Updated: (WSS-238) Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
Date Fri, 30 Jul 2010 01:24:15 GMT

     [ https://issues.apache.org/jira/browse/WSS-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Glen Mazza updated WSS-238:
---------------------------

    Attachment: EncryptedDataPatch.txt

Patch file.

> Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body
EncryptedData elements.
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-238
>                 URL: https://issues.apache.org/jira/browse/WSS-238
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.5.9
>            Reporter: Glen Mazza
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: EncryptedDataPatch.txt
>
>
> Per CXF bug CXF-2894: http://tinyurl.com/23jx6cx
> Within the soap:body/EncryptedData/SecurityTokenReference element, Glassfish Metro is
requiring wsse:KeyIdentifiers instead of wsse:Reference elements when referring to SAML Assertions.
 Metro appears correct because the SAML Token Profile does not define usage of wsse:Reference
for SAML Assertions, only KeyIdentifier or EmbeddedReference. (Section 3.3 of SAML Token Profile
of 1 Dec. 2004 pdf lines 250-272.)
> The attached patch will switch SecurityTokenReference from wsse:Reference to wsse:KeyIdentifier
when handling SAML Assertions.  I've confirmed Metro web service providers will now work with
this patch.  However, backwards compatibility issues with systems expecting the current wsse:Reference
may need to be taken into account.
> WSS4J has another problem with not being able to decrypt SOAP responses that use wsse:KeyIdentifier
instead of wsse:Reference for SAML Assertions.  Namely, org.apache.ws.security.processor.ReferenceListProcessor's
getKeyFromSecurityTokenReference() method will need changing to be able to work with SAML
Assertions coming from a wsse:KeyIdentifier element instead of wsse:Reference.  I was not
immediately successful in getting this second part to work because I could not see how a SAMLTokenProcessor
can be initialized from a KeyIdentifier instead of the Reference element within this method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message