You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by Rebecca Searls <rs...@redhat.com> on 2014/09/19 17:32:59 UTC

SAML "Bearer" signing requirements question

With the move to CXF (3.0.2-SNAPSHOT) and WSS4j (2.0.2-SNAPSHOT)
Our SAML "Bearer" assertion tests are now failing.  A change to 
org.apache.wss4j.dom.validate.SamlAssertionValidator now sets the default
behavior for a "Bearer" assertion to be that it MUST be signed.
see lines:
  : 
75  private boolean requireBearerSignature = true;
  :
  :
160               if (SAML2Constants.CONF_BEARER.equals(method)
161                    || SAML1Constants.CONF_BEARER.equals(method)) {
162                    standardMethodFound = true;
163                    if (requireBearerSignature && !signed) {
164                        LOG.debug("A Bearer Assertion was not signed");
165                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
166                                                     "invalidSAMLsecurity");
167                    }


Is a SAML "Bearer" assertion required to be signed as the default behavior.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org

Re: SAML "Bearer" signing requirements question

Posted by Colm O hEigeartaigh <co...@apache.org>.

> Is a SAML "Bearer" assertion required to be signed as the default
behavior.

Yes. There are almost no scenarios (outside of test-cases) where a SAML
Bearer Assertion will be unsigned.

Colm.

On Fri, Sep 19, 2014 at 4:32 PM, Rebecca Searls <rs...@redhat.com> wrote:

>
> With the move to CXF (3.0.2-SNAPSHOT) and WSS4j (2.0.2-SNAPSHOT)
> Our SAML "Bearer" assertion tests are now failing.  A change to
> org.apache.wss4j.dom.validate.SamlAssertionValidator now sets the default
> behavior for a "Bearer" assertion to be that it MUST be signed.
> see lines:
>   :
> 75  private boolean requireBearerSignature = true;
>   :
>   :
> 160               if (SAML2Constants.CONF_BEARER.equals(method)
> 161                    || SAML1Constants.CONF_BEARER.equals(method)) {
> 162                    standardMethodFound = true;
> 163                    if (requireBearerSignature && !signed) {
> 164                        LOG.debug("A Bearer Assertion was not signed");
> 165                        throw new
> WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> 166
>  "invalidSAMLsecurity");
> 167                    }
>
>
> Is a SAML "Bearer" assertion required to be signed as the default behavior.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com