Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-238

Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.5.9
    • 1.5.10, 1.6
    • WSS4J Core
    • None

    Description

      Per CXF bug CXF-2894: http://tinyurl.com/23jx6cx

      Within the soap:body/EncryptedData/SecurityTokenReference element, Glassfish Metro is requiring wsse:KeyIdentifiers instead of wsse:Reference elements when referring to SAML Assertions. Metro appears correct because the SAML Token Profile does not define usage of wsse:Reference for SAML Assertions, only KeyIdentifier or EmbeddedReference. (Section 3.3 of SAML Token Profile of 1 Dec. 2004 pdf lines 250-272.)

      The attached patch will switch SecurityTokenReference from wsse:Reference to wsse:KeyIdentifier when handling SAML Assertions. I've confirmed Metro web service providers will now work with this patch. However, backwards compatibility issues with systems expecting the current wsse:Reference may need to be taken into account.

      WSS4J has another problem with not being able to decrypt SOAP responses that use wsse:KeyIdentifier instead of wsse:Reference for SAML Assertions. Namely, org.apache.ws.security.processor.ReferenceListProcessor's getKeyFromSecurityTokenReference() method will need changing to be able to work with SAML Assertions coming from a wsse:KeyIdentifier element instead of wsse:Reference. I was not immediately successful in getting this second part to work because I could not see how a SAMLTokenProcessor can be initialized from a KeyIdentifier instead of the Reference element within this method.

      Attachments

        1. EncryptedDataPatch.txt
          2 kB
          Glen Mazza
        2. patch238.txt
          4 kB
          Glen Mazza
        3. TestWSSecuritySAMLKeyIdentifier.java
          9 kB
          Glen Mazza
        4. WSS238_CXFClient_ALWAYS.txt
          46 kB
          Glen Mazza
        5. WSS238_MetroClient_ALWAYS.txt
          46 kB
          Glen Mazza
        6. WSS238Results.txt
          50 kB
          Glen Mazza
        7. wss-238-revised.patch
          19 kB
          Colm O hEigeartaigh

        Activity

          People

            coheigea Colm O hEigeartaigh
            gmazza Glen Mazza
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: