[CXF-6432] Remove default empty password in SamlTokenInterceptor - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7.16
Fix Version/s: 2.7.17
Component/s: WS-* Components
Labels:
None

Estimated Complexity:
Unknown

Description

Our WS client needs to generate self-signed SAML assertions. Similar to the generation of X.509 message signatures, we like to centralize all key data in the crypto.properties file and don't provide private key passwords using the message context or callback handlers. (In absence of a password the Merlin Crypto implementation takes the default property org.apache.ws.security.crypto.merlin.keystore.private.password as key password)

This is not possible in the 2.7.x branch because the SamlTokenInterceptor puts a default empty string password,if no password was set on the message context or inside the callbackhandler.

if (password == null) {
   password = "";
}

https://github.com/apache/cxf/blob/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L301

I don't really understand the intention. Could this be removed cfr the cleanup in CXF 3.0?

https://github.com/apache/cxf/blob/5faf182264c64bd3c0abc0addc9746b64492c864/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L277

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Willem Salembier

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 02/Jun/15 12:36

Updated:: 14/Oct/16 14:31

Resolved:: 02/Jun/15 14:35