You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2012/11/27 16:47:58 UTC
[jira] [Created] (CXF-4655) Enforce SAML SubjectConfirmation
requirements for the non WS-SecurityPolicy case
Colm O hEigeartaigh created CXF-4655:
----------------------------------------
Summary: Enforce SAML SubjectConfirmation requirements for the non WS-SecurityPolicy case
Key: CXF-4655
URL: https://issues.apache.org/jira/browse/CXF-4655
Project: CXF
Issue Type: Improvement
Components: WS-* Components
Affects Versions: 2.7.0, 2.6.3, 2.5.6
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 2.5.7, 2.6.4, 2.7.1
If using WS-SecurityPolicy, Subject Confirmation requirements are enforced on SAML Tokens. So for HolderOfKey, the subject credential of the SAML Assertion must have been used to sign some portion of the message, or else must match a client certificate if 2-way TLS is used. For SenderVouches, the SAML Assertion and SOAP Body must be signed by the same credential (TLS or message level).
However, this is not enforced for the non WS-SecurityPolicy approach, which uses simple WSS4J actions. This task is to add this support to CXF. It will be enabled by default in CXF 2.7.1, but disabled by default in CXF 2.5.6 and 2.6.4. It is configurable via the jaxws property SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION ("ws-security.validate.saml.subject.conf").
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4655) Enforce SAML SubjectConfirmation
requirements for the non WS-SecurityPolicy case
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-4655.
--------------------------------------
Resolution: Fixed
> Enforce SAML SubjectConfirmation requirements for the non WS-SecurityPolicy case
> --------------------------------------------------------------------------------
>
> Key: CXF-4655
> URL: https://issues.apache.org/jira/browse/CXF-4655
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 2.5.6, 2.6.3, 2.7.0
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 2.5.7, 2.6.4, 2.7.1
>
>
> If using WS-SecurityPolicy, Subject Confirmation requirements are enforced on SAML Tokens. So for HolderOfKey, the subject credential of the SAML Assertion must have been used to sign some portion of the message, or else must match a client certificate if 2-way TLS is used. For SenderVouches, the SAML Assertion and SOAP Body must be signed by the same credential (TLS or message level).
> However, this is not enforced for the non WS-SecurityPolicy approach, which uses simple WSS4J actions. This task is to add this support to CXF. It will be enabled by default in CXF 2.7.1, but disabled by default in CXF 2.5.6 and 2.6.4. It is configurable via the jaxws property SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION ("ws-security.validate.saml.subject.conf").
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira