Colm O hEigeartaigh created WSS-479:
---------------------------------------
Summary: Inbound streaming does not handle Symmetric Holder-Of-Key
correctly
Key: WSS-479
URL: https://issues.apache.org/jira/browse/WSS-479
Project: WSS4J
Issue Type: Bug
Reporter: Colm O hEigeartaigh
Assignee: Marc Giger
Fix For: 2.0
The streaming code has a problem when processing a request which contains a
Holder-of-key SAML Assertion with a Subject which has an EncryptedKey in the
KeyInfo, and a Signature in the security header which uses HMAC + points to the
SAML Assertion.
The following code in SecurityTokenFactoryImpl:
if (keyInfoType != null) {
final SecurityTokenReferenceType securityTokenReferenceType
= XMLSecurityUtils.getQNameType(keyInfoType.getContent(),
WSSConstants.TAG_wsse_SecurityTokenReference);
... bypasses the EncryptedKey, and instead only returns a SecurityToken of the
(encrypting) certificate. Instead it should detect that the immediate child of
KeyInfo is an EncryptedKey + process this accordingly.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
