You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Brian Reinhold (JIRA)" <ji...@apache.org> on 2015/08/04 14:51:04 UTC

[jira] [Commented] (RAMPART-387) Rampart reports SAML Token Missing In Request

    [ https://issues.apache.org/jira/browse/RAMPART-387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14653568#comment-14653568 ] 

Brian Reinhold commented on RAMPART-387:
----------------------------------------

Hey,

Isn't anyone going to resolve this issue? The issue is still indicated as OPEN. The fix I have proposed works so all that is needed is to implement it in the distribution!

> Rampart reports SAML Token Missing In Request
> ---------------------------------------------
>
>                 Key: RAMPART-387
>                 URL: https://issues.apache.org/jira/browse/RAMPART-387
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.6.2
>         Environment: Windows 7 64; Axis2/Rampart deployment in Tomcat
>            Reporter: Brian Reinhold
>              Labels: newbie
>             Fix For: 1.6.3
>
>
> When sending a message containing a SAML Token generated by Rampart's STS service, the module PolicyBasedResultsValidator.handleSupportingTokens() throws a RampartException with 
> message "samlTokenMissing".
> I believe the error is due to only attempting to validate an unsigned token. The token created by the STS service is signed as it must be by WS Security requirements. 
> Starting at line 323 one sees:
>             else if (token instanceof IssuedToken)
>             {
>                 //TODO is is enough to check for ST_UNSIGNED results ??
>                 WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
>                 if (samlResult == null)
>                 {
>                     throw new RampartException("samlTokenMissing");
>                 }
> There needs to be a check for ST_SIGNED.
> I do not know how to build the distribution or I would try this myself.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org