Grzegorz Maczuga created CXF-7088:

             Summary: SignedEncryptedSupportingTokens in WS-Policy and SAML not 
encrypted being accepted
                 Key: CXF-7088
             Project: CXF
          Issue Type: Bug
    Affects Versions: 3.0.6
            Reporter: Grzegorz Maczuga

In WS-Policy that is used by service we have defined 


Some people say that WS-SecurityPolicy 1.2 imply that also SAML assertion that 
is inside WS-Security section of the message SOAP Header should be encrypted 
(not only signed).

Message with SAML that is NOT encrypted is currently accepted by CXF even while 
policy defines <SignedEncryptedSupportingTokens/>

Question is: does SAML assertion fall into "SupportingTokens" category and 
should be encrypted as well?

What is your view on that? Is that a bug in Neethi?

This message was sent by Atlassian JIRA

Reply via email to