Willem Salembier created CXF-6432:
-------------------------------------
Summary: Remove default empty password in SamlTokenInterceptor
Key: CXF-6432
URL: https://issues.apache.org/jira/browse/CXF-6432
Project: CXF
Issue Type: Improvement
Components: WS-* Components
Affects Versions: 2.7.16
Reporter: Willem Salembier
Fix For: 2.7.17
Our WS client needs to generate self-signed SAML assertions. Similar to the
generation of X.509 message signatures, we like to centralize all key data in
the crypto.properties file and don't provide private key passwords using the
message context or callback handlers. (In absence of a password the Merlin
Crypto implementation takes the default property
org.apache.ws.security.crypto.merlin.keystore.private.password as key password)
This is not possible in the 2.7.x branch because the SamlTokenInterceptor puts
a default empty string password,if no password was set on the message context
or inside the callbackhandler.
{code}
if (password == null) {
password = "";
}
{code}
https://github.com/apache/cxf/blob/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L301
I don't really understand the intention. Could this be removed cfr the cleanup
in CXF 3.0?
https://github.com/apache/cxf/blob/5faf182264c64bd3c0abc0addc9746b64492c864/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L277
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
