You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Brian Reinhold (JIRA)" <ji...@apache.org> on 2012/09/09 13:53:09 UTC
[jira] [Comment Edited] (RAMPART-387) Rampart reports SAML Token
Missing In Request
[ https://issues.apache.org/jira/browse/RAMPART-387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451577#comment-13451577 ]
Brian Reinhold edited comment on RAMPART-387 at 9/9/12 10:52 PM:
-----------------------------------------------------------------
I have been able to locally fix this bug by simply checking for the signed version first and if that returns null, checking for an unsigned version. Since Rampart's default STS service creates a signed SAML token the modification accepts the token and the transaction succeeds.
However Rampart is not using the token certificate to validate the signature but the certificate of the STS. There is nothing wrong with that trust model but it is not the one I want and would love to know how to change or configure it.
In any case the code to fix this bug is very simple if someone would care to do it:
else if (token instanceof IssuedToken)
{
//TODO is is enough to check for ST_UNSIGNED results ?? NO!!!
WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_SIGNED);
if (samlResult == null)
{
samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
if(samlResult == null)
{
throw new RampartException("samlTokenMissing");
}
}
}
was (Author: gyannea):
I have been able to locally fix this bug by simply checking for the signed version first and if that returns null, checking for an unsigned version. Since Rampart's default STS service creates a signed SAML
token the modification accepts the token and the transaction succeeds.
However Rampart is not using the token certificate to validate the signature but the certificate of the STS. There is nothing wrong with that trust model but it is not the one I want and would love to know
how to change or configure it.
In any case the code to fix this bug is very simple if someone would care to do it:
else if (token instanceof IssuedToken)
{
//TODO is is enough to check for ST_UNSIGNED results ?? NO!!!
WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_SIGNED);
if (samlResult == null)
{
samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
if(samlResult == null)
{
throw new RampartException("samlTokenMissing");
}
}
}
> Rampart reports SAML Token Missing In Request
> ---------------------------------------------
>
> Key: RAMPART-387
> URL: https://issues.apache.org/jira/browse/RAMPART-387
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.6.2
> Environment: Windows 7 64; Axis2/Rampart deployment in Tomcat
> Reporter: Brian Reinhold
> Labels: newbie
> Fix For: 1.6.2
>
>
> When sending a message containing a SAML Token generated by Rampart's STS service, the module PolicyBasedResultsValidator.handleSupportingTokens() throws a RampartException with
> message "samlTokenMissing".
> I believe the error is due to only attempting to validate an unsigned token. The token created by the STS service is signed as it must be by WS Security requirements.
> Starting at line 323 one sees:
> } else if (token instanceof IssuedToken) {
> //TODO is is enough to check for ST_UNSIGNED results ??
> WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
> if (samlResult == null)
> {
> throw new RampartException("samlTokenMissing");
> }
> There needs to be a check for ST_SIGNED.
> I do not know how to build the distribution or I would try this myself.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org