Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7935

SAML SubjectConfirmation validation in PolicyBasedWSS4JInInterceptor

    XMLWordPrintableJSON

    Details

    • Estimated Complexity:
      Unknown

      Description

      WSS4J enforces the SubjectConfirmation requirements of an inbound SAML Token. For sender-vouches, a signature must be present that covers both the SOAP Body and the SAML Assertion. As explained here http://coheigea.blogspot.com/2014/01/apache-wss4j-200-part-ii.html, the configuration tag defined as ConfigurationConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION ("validateSamlSubjectConfirmation") allows the user to switch off this validation if required.

      We need to switch off the validation, in order to process non-TLS requests where only the SAML assertion is signed.

      Unfortunately, it turns out that SubjectConfirmation validation cannot be switched off when using PolicyBasedWSS4JInInterceptor. It uses SamlTokenPolicyValidator, containing the following code:

       

      if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
          ai.setNotAsserted("Assertion fails sender-vouches requirements");
          continue;
      }
      

      This is different from WSS4JInInterceptor, which through WSSecurityEngine uses the following code:

      if (requestData.isValidateSamlSubjectConfirmation()) {
          Element bodyElement = callbackLookupToUse.getSOAPBody();
          DOMSAMLUtil.validateSAMLResults(handlerResult, requestData.getTlsCerts(), bodyElement);
      }
      

      Please add similar handling of the VALIDATE_SAML_SUBJECT_CONFIRMATION configuration tag into PolicyBasedWSS4JInInterceptor.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              tomasv Tomas Vanhala
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: