You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Jesse Pangburn (JIRA)" <ji...@apache.org> on 2010/03/25 02:25:27 UTC
[jira] Commented: (RAMPART-231) Implementing the SAML 2.0 support
in Rampart
[ https://issues.apache.org/jira/browse/RAMPART-231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849564#action_12849564 ]
Jesse Pangburn commented on RAMPART-231:
----------------------------------------
Hi,
I tested this with the patch Thilina submitted to WSS4J #204, and while that patch does seem to validate that there's a SAML 2 token there (and checks the digital signatures apparently), I'm confused how it's supposed to verify it's the right token.
I modified the Sample08 you provided to have a SupportingTokens element with this content:
...
<sp:Issuer>
<Address xmlns="http://www.w3.org/2005/08/addressing">SAMPLE_STS1</Address>
</sp:Issuer>
<sp:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">256</t:KeySize>
</sp:RequestSecurityTokenTemplate>
...
I know this was read with original WSS4J 1.5.8 because it would always fail if the SupportingTokens element was present. After I used your patch on WSS4J, then it was successful. So I changed the issuer to "SAMPLE_STS1" to see if it would throw an error because the issuer is "SAMPLE_STS", but sadly it does not. It also does not care if you change the TokenType to "2.1" or something". In the PolicyBasedResultsValidator.java I see this relevant section:
} else if ( token instanceof IssuedToken ) {
//TODO is is enough to check for ST_UNSIGNED results ??
WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
if(samlResult == null) {
throw new RampartException("samlTokenMissing");
}
It has the SupportingTokens element at this point. In the debugger I see the "SAMPLE_STS1" in the issuer element in the token variable, and I see the content in the actual token "SAMPLE_STS" in samlresult variable. But it doesn't do any check to see if this or other fields match. Is that supposed to happen here from your "TODO" comment?
Also, if this is the wrong place to post this, please excuse me and delete the comment :-)
thanks,
Jesse
> Implementing the SAML 2.0 support in Rampart
> --------------------------------------------
>
> Key: RAMPART-231
> URL: https://issues.apache.org/jira/browse/RAMPART-231
> Project: Rampart
> Issue Type: New Feature
> Components: rampart-trust
> Affects Versions: 1.4
> Reporter: Thilina Buddhika
> Assignee: Nandana Mihindukulasooriya
> Fix For: 1.5
>
> Attachments: rampart-final.patch, rampart-modified.patch, rampart.patch
>
>
> Currently Rampart only supports the previous versions of SAML, but not SAML 2.0. But having the support for SAML 2.0 is vital and it will benefit the Rampart users a lot. So it will be great to have SAML 2.0 support in Rampart.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.