Question about Sender-Vouches and Body Signature

[andreas_triebel <an...@adesso.ch>]

Hi

A message with SV confirmation method is rejected by CXF if the SOAP body is
not signed (which is good I think).
My question: Is it possible to convince CXF to accept such a message?
I know this would break the idea of a subject confirmation method, but I
need to know if it's possible in CXF.

Thanks
-Andreas



--
View this message in context: http://cxf.547215.n5.nabble.com/Question-about-Sender-Vouches-and-Body-Signature-tp5719215.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Question about Sender-Vouches and Body Signature

[Colm O hEigeartaigh <co...@apache.org>]

Yes - you can use a security policy that only consists of a SAML Token
(without a security binding). For example see the "DoubleItBearerPolicy"
here:

http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl?view=markup

This activates the SamlTokenInterceptor which does not do any checking of
the Subject Confirmation.

Colm.

On Tue, Nov 27, 2012 at 2:22 PM, andreas_triebel
<an...@adesso.ch>wrote:

> Hi
>
> A message with SV confirmation method is rejected by CXF if the SOAP body
> is
> not signed (which is good I think).
> My question: Is it possible to convince CXF to accept such a message?
> I know this would break the idea of a subject confirmation method, but I
> need to know if it's possible in CXF.
>
> Thanks
> -Andreas
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Question-about-Sender-Vouches-and-Body-Signature-tp5719215.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com