WSS4J enforces the SubjectConfirmation requirements of an inbound SAML Token. For sender-vouches, a signature must be present that covers both the SOAP Body and the SAML Assertion. As explained here http://coheigea.blogspot.com/2014/01/apache-wss4j-200-part-ii.html, the configuration tag defined as ConfigurationConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION ("validateSamlSubjectConfirmation") allows the user to switch off this validation if required.
We need to switch off the validation, in order to process non-TLS requests where only the SAML assertion is signed.
Unfortunately, it turns out that SubjectConfirmation validation cannot be switched off when using PolicyBasedWSS4JInInterceptor. It uses SamlTokenPolicyValidator, containing the following code:
This is different from WSS4JInInterceptor, which through WSSecurityEngine uses the following code:
Please add similar handling of the VALIDATE_SAML_SUBJECT_CONFIRMATION configuration tag into PolicyBasedWSS4JInInterceptor.