You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Rebecca Searls <rs...@redhat.com> on 2014/09/19 17:32:59 UTC
SAML "Bearer" signing requirements question
With the move to CXF (3.0.2-SNAPSHOT) and WSS4j (2.0.2-SNAPSHOT)
Our SAML "Bearer" assertion tests are now failing. A change to
org.apache.wss4j.dom.validate.SamlAssertionValidator now sets the default
behavior for a "Bearer" assertion to be that it MUST be signed.
see lines:
:
75 private boolean requireBearerSignature = true;
:
:
160 if (SAML2Constants.CONF_BEARER.equals(method)
161 || SAML1Constants.CONF_BEARER.equals(method)) {
162 standardMethodFound = true;
163 if (requireBearerSignature && !signed) {
164 LOG.debug("A Bearer Assertion was not signed");
165 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
166 "invalidSAMLsecurity");
167 }
Is a SAML "Bearer" assertion required to be signed as the default behavior.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: SAML "Bearer" signing requirements question
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Is a SAML "Bearer" assertion required to be signed as the default
behavior.
Yes. There are almost no scenarios (outside of test-cases) where a SAML
Bearer Assertion will be unsigned.
Colm.
On Fri, Sep 19, 2014 at 4:32 PM, Rebecca Searls <rs...@redhat.com> wrote:
>
> With the move to CXF (3.0.2-SNAPSHOT) and WSS4j (2.0.2-SNAPSHOT)
> Our SAML "Bearer" assertion tests are now failing. A change to
> org.apache.wss4j.dom.validate.SamlAssertionValidator now sets the default
> behavior for a "Bearer" assertion to be that it MUST be signed.
> see lines:
> :
> 75 private boolean requireBearerSignature = true;
> :
> :
> 160 if (SAML2Constants.CONF_BEARER.equals(method)
> 161 || SAML1Constants.CONF_BEARER.equals(method)) {
> 162 standardMethodFound = true;
> 163 if (requireBearerSignature && !signed) {
> 164 LOG.debug("A Bearer Assertion was not signed");
> 165 throw new
> WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> 166
> "invalidSAMLsecurity");
> 167 }
>
>
> Is a SAML "Bearer" assertion required to be signed as the default behavior.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com