Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-238

Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.9
    • Fix Version/s: 1.5.10, 1.6
    • Component/s: WSS4J Core
    • Labels:


      Per CXF bug CXF-2894: http://tinyurl.com/23jx6cx

      Within the soap:body/EncryptedData/SecurityTokenReference element, Glassfish Metro is requiring wsse:KeyIdentifiers instead of wsse:Reference elements when referring to SAML Assertions. Metro appears correct because the SAML Token Profile does not define usage of wsse:Reference for SAML Assertions, only KeyIdentifier or EmbeddedReference. (Section 3.3 of SAML Token Profile of 1 Dec. 2004 pdf lines 250-272.)

      The attached patch will switch SecurityTokenReference from wsse:Reference to wsse:KeyIdentifier when handling SAML Assertions. I've confirmed Metro web service providers will now work with this patch. However, backwards compatibility issues with systems expecting the current wsse:Reference may need to be taken into account.

      WSS4J has another problem with not being able to decrypt SOAP responses that use wsse:KeyIdentifier instead of wsse:Reference for SAML Assertions. Namely, org.apache.ws.security.processor.ReferenceListProcessor's getKeyFromSecurityTokenReference() method will need changing to be able to work with SAML Assertions coming from a wsse:KeyIdentifier element instead of wsse:Reference. I was not immediately successful in getting this second part to work because I could not see how a SAMLTokenProcessor can be initialized from a KeyIdentifier instead of the Reference element within this method.


        1. EncryptedDataPatch.txt
          2 kB
          Glen Mazza
        2. patch238.txt
          4 kB
          Glen Mazza
        3. TestWSSecuritySAMLKeyIdentifier.java
          9 kB
          Glen Mazza
        4. WSS238_CXFClient_ALWAYS.txt
          46 kB
          Glen Mazza
        5. WSS238_MetroClient_ALWAYS.txt
          46 kB
          Glen Mazza
        6. WSS238Results.txt
          50 kB
          Glen Mazza
        7. wss-238-revised.patch
          19 kB
          Colm O hEigeartaigh



            • Assignee:
              coheigea Colm O hEigeartaigh
              gmazza Glen Mazza
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: