You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/06/02 15:43:17 UTC
[jira] [Assigned] (CXF-6432) Remove default empty password in
SamlTokenInterceptor
[ https://issues.apache.org/jira/browse/CXF-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-6432:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Remove default empty password in SamlTokenInterceptor
> ------------------------------------------------------
>
> Key: CXF-6432
> URL: https://issues.apache.org/jira/browse/CXF-6432
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 2.7.16
> Reporter: Willem Salembier
> Assignee: Colm O hEigeartaigh
> Fix For: 2.7.17
>
>
> Our WS client needs to generate self-signed SAML assertions. Similar to the generation of X.509 message signatures, we like to centralize all key data in the crypto.properties file and don't provide private key passwords using the message context or callback handlers. (In absence of a password the Merlin Crypto implementation takes the default property org.apache.ws.security.crypto.merlin.keystore.private.password as key password)
> This is not possible in the 2.7.x branch because the SamlTokenInterceptor puts a default empty string password,if no password was set on the message context or inside the callbackhandler.
> {code}
> if (password == null) {
> password = "";
> }
> {code}
> https://github.com/apache/cxf/blob/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L301
> I don't really understand the intention. Could this be removed cfr the cleanup in CXF 3.0?
> https://github.com/apache/cxf/blob/5faf182264c64bd3c0abc0addc9746b64492c864/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L277
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)