You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2019/01/24 12:22:00 UTC
[jira] [Closed] (CXF-7941) SamlValidator does not work with chain
trust
[ https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-7941.
------------------------------------
> SamlValidator does not work with chain trust
> --------------------------------------------
>
> Key: CXF-7941
> URL: https://issues.apache.org/jira/browse/CXF-7941
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.2.7
> Reporter: Tomas Vanhala
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Attachments: cxf7941.zip, obsolete-code.txt, request-real-sanitised.xml, request-test-broken-sanitised.xml, request-test-working-sanitised.xml, stacktrace-request-test-broken.txt
>
>
> As explained here [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,] WSS4J supports specifying constraints on the subject DN of the certificate used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to sign the requests from the Merlin trust store, and setting an appropriate Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to handle a scenario where the certificate used to sign the requests is not in the trust store. The problem seems to be in the method findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by including the needed PKI code in a customised SamlValidator, but we would rather not go this route.
> Please fix chain trust in WSS4J SAML validation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)