[CXF-7088] SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.6
Fix Version/s: 3.1.8, 3.0.11, 3.2.0
Component/s: None
Labels:
None

Estimated Complexity:
Unknown

Description

In WS-Policy that is used by service we have defined

Some people say that WS-SecurityPolicy 1.2 imply that also SAML assertion that is inside WS-Security section of the message SOAP Header should be encrypted (not only signed).

Message with SAML that is NOT encrypted is currently accepted by CXF even while policy defines <SignedEncryptedSupportingTokens/>

Question is: does SAML assertion fall into "SupportingTokens" category and should be encrypted as well?

What is your view on that? Is that a bug in Neethi?

See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826566

Signed, encrypted supporting tokens are Signed supporting tokens (See section 8.2) that are also encrypted when they appear in the wsse:SecurityHeader. Element Encryption SHOULD be used for encrypting the supporting tokens.
The syntax for the sp:SignedEncryptedSupportingTokens differs from the syntax of sp:SignedSupportingTokens only in the name of the assertion itself. All nested policy is as per the sp:SignedSupportingTokens assertion.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

message_anonymous.txt
13/Oct/16 12:47
25 kB
Grzegorz Maczuga
policy.txt
13/Oct/16 12:47
3 kB
Grzegorz Maczuga
messageNoEncryption.txt
14/Oct/16 13:21
8 kB
Grzegorz Maczuga

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Grzegorz Maczuga

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 13/Oct/16 09:04

Updated:: 21/Oct/16 18:45

Resolved:: 14/Oct/16 17:26