You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jan Monterrubio (Jira)" <ji...@apache.org> on 2021/03/18 19:08:00 UTC

[jira] [Created] (CXF-8438) Out/In Interceptor requires additional IN action when using SAMLTokenSigned

Jan Monterrubio created CXF-8438:
------------------------------------

             Summary: Out/In Interceptor requires additional IN action when using SAMLTokenSigned
                 Key: CXF-8438
                 URL: https://issues.apache.org/jira/browse/CXF-8438
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
            Reporter: Jan Monterrubio
         Attachments: image-2021-03-18-13-52-27-215.png, image-2021-03-18-13-56-06-919.png, image-2021-03-18-13-58-10-702.png, image-2021-03-18-13-58-44-532.png, image-2021-03-18-14-02-05-830.png, image-2021-03-18-14-03-06-005.png

h2. Issue

I am using the "SAMLTokenSigned" action in my client and server setup. 


h3. Out Transport

Using the action in the WSS4JOutInterceptor works correctly and ends up setting a single HandlerAction when sending data down to doSenderAction:

!image-2021-03-18-13-52-27-215.png!

The action constant is ST_SIGNED:
!image-2021-03-18-13-56-06-919.png!

h3. Inbound Data

When processing the header, there seems to be an additional action discovered. 

The first WSSecurityEngineResult is a SAMLToken:

 !image-2021-03-18-13-58-10-702.png! 

A second WSSecurityEngine result is added based on the SignatureProcessor:

 !image-2021-03-18-13-58-44-532.png! 

The failure then happens when checkReceiverResultsInAnyOrder is invoked.

We have 1 recorded action and 2 found actions in the wsResult value:

 !image-2021-03-18-14-02-05-830.png! 

When checking if that additional action, which is a signature is part of the recorded action, the check will fail and our interceptor will produce a fault:

 !image-2021-03-18-14-03-06-005.png! 

h3. Work Around

On the server side, we can set the actions to both a "SAMLTokenSigned" and "Signature":

{code}
  // TODO work around here is to add Signature to the actions
        inProps.put("action", "SAMLTokenSigned Signature");
{code}

h2. Questions

1. Should the SAMLSignedToken handling also add a receiver action of SIGN (WSConstant.SC)?

h3. Sample that reproduces the issue

https://github.com/AnEmortalKid/cxf/tree/sign_saml_test/distribution/src/main/release/samples/ws_security/signed_saml_token



--
This message was sent by Atlassian Jira
(v8.3.4#803005)