Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7088

SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.1.8, 3.0.11, 3.2.0
    • Component/s: None
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      In WS-Policy that is used by service we have defined

      <SignedEncryptedSupportingTokens/>

      Some people say that WS-SecurityPolicy 1.2 imply that also SAML assertion that is inside WS-Security section of the message SOAP Header should be encrypted (not only signed).

      Message with SAML that is NOT encrypted is currently accepted by CXF even while policy defines <SignedEncryptedSupportingTokens/>

      Question is: does SAML assertion fall into "SupportingTokens" category and should be encrypted as well?

      What is your view on that? Is that a bug in Neethi?

      See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826566

      Signed, encrypted supporting tokens are Signed supporting tokens (See section 8.2) that are also encrypted when they appear in the wsse:SecurityHeader. Element Encryption SHOULD be used for encrypting the supporting tokens.
      The syntax for the sp:SignedEncryptedSupportingTokens differs from the syntax of sp:SignedSupportingTokens only in the name of the assertion itself. All nested policy is as per the sp:SignedSupportingTokens assertion.

        Attachments

        1. message_anonymous.txt
          25 kB
          Grzegorz Maczuga
        2. policy.txt
          3 kB
          Grzegorz Maczuga
        3. messageNoEncryption.txt
          8 kB
          Grzegorz Maczuga

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              gmaczuga Grzegorz Maczuga
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: