Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-90

SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 1.5.6
    • Fix Version/s: 1.5.7, 1.6
    • Component/s: None
    • Labels:
      None
    • Environment:
      Windows XP, Axis2 1.3, WSS4J 1.5.3,

      Description

      The SAML Core 1.1 specification mentions that the <ds:KeyInfo> element is optional under the <SubjectConfirmation> element (under <Subject>).

      The following call fails when the incoming SAML assertion contains a <subjectconfirmation> element without a KeyInfo child element:

      Element e = samlSubj.getKeyInfo(); [ Line 122]
      X509Certificate[] certs = null;
      try {
      KeyInfo ki = new KeyInfo(e, null);

      The constructor KeyInfo(e, null) fails and throws a XMLSecurityException when e is null (which is true when samlSubj.getKeyInfo() returns null)

        Attachments

          Activity

            People

            • Assignee:
              ruchith Ruchith Udayanga Fernando
              Reporter:
              murakris Murali Gunasekaran
            • Votes:
              1 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: