You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2013/12/23 18:03:51 UTC
[jira] [Commented] (CXF-5424) JAX-RS Security Code can not validate
signed SAML2 bearer assertions without KeyInfo
[ https://issues.apache.org/jira/browse/CXF-5424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13855765#comment-13855765 ]
Sergey Beryozkin commented on CXF-5424:
---------------------------------------
The XML Signature specification mentions that KeyInfo is an optional element and the application is expected to load it out of band if it is missing. IMHO it is safe to provide a basic out-of-band mechanism, for example, use a default crypto alias to load a certificate which can be used to validate a signature, a minor positive is that the processing should be faster too.
In case of non-SAML2 payloads, for example, when we have the XML signature added only, we can try use the authenticated user as the alias or the default crypto alias to load a certificate.
In case of RACS we can only try a default crypto alias; we cam also extend that if needed to use the subject names as aliases however I'm not sure it is practical yet, in this case it is really an IDP certificate that we need. I guess this implies RACS will need its own signature crypto - which seems reasonable.
> JAX-RS Security Code can not validate signed SAML2 bearer assertions without KeyInfo
> ------------------------------------------------------------------------------------
>
> Key: CXF-5424
> URL: https://issues.apache.org/jira/browse/CXF-5424
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Reporter: Sergey Beryozkin
>
> Signed SAML2 Bearer assertions may not always have XML Signature KeyInfo elements available. The JAX-RS security code fails to validate such assertions but it should be able to *optionally* validate them without KeyInfo
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)