You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jan Monterrubio (Jira)" <ji...@apache.org> on 2021/03/18 19:08:00 UTC
[jira] [Created] (CXF-8438) Out/In Interceptor requires additional
IN action when using SAMLTokenSigned
Jan Monterrubio created CXF-8438:
------------------------------------
Summary: Out/In Interceptor requires additional IN action when using SAMLTokenSigned
Key: CXF-8438
URL: https://issues.apache.org/jira/browse/CXF-8438
Project: CXF
Issue Type: Bug
Components: WS-* Components
Reporter: Jan Monterrubio
Attachments: image-2021-03-18-13-52-27-215.png, image-2021-03-18-13-56-06-919.png, image-2021-03-18-13-58-10-702.png, image-2021-03-18-13-58-44-532.png, image-2021-03-18-14-02-05-830.png, image-2021-03-18-14-03-06-005.png
h2. Issue
I am using the "SAMLTokenSigned" action in my client and server setup.
h3. Out Transport
Using the action in the WSS4JOutInterceptor works correctly and ends up setting a single HandlerAction when sending data down to doSenderAction:
!image-2021-03-18-13-52-27-215.png!
The action constant is ST_SIGNED:
!image-2021-03-18-13-56-06-919.png!
h3. Inbound Data
When processing the header, there seems to be an additional action discovered.
The first WSSecurityEngineResult is a SAMLToken:
!image-2021-03-18-13-58-10-702.png!
A second WSSecurityEngine result is added based on the SignatureProcessor:
!image-2021-03-18-13-58-44-532.png!
The failure then happens when checkReceiverResultsInAnyOrder is invoked.
We have 1 recorded action and 2 found actions in the wsResult value:
!image-2021-03-18-14-02-05-830.png!
When checking if that additional action, which is a signature is part of the recorded action, the check will fail and our interceptor will produce a fault:
!image-2021-03-18-14-03-06-005.png!
h3. Work Around
On the server side, we can set the actions to both a "SAMLTokenSigned" and "Signature":
{code}
// TODO work around here is to add Signature to the actions
inProps.put("action", "SAMLTokenSigned Signature");
{code}
h2. Questions
1. Should the SAMLSignedToken handling also add a receiver action of SIGN (WSConstant.SC)?
h3. Sample that reproduces the issue
https://github.com/AnEmortalKid/cxf/tree/sign_saml_test/distribution/src/main/release/samples/ws_security/signed_saml_token
--
This message was sent by Atlassian Jira
(v8.3.4#803005)