[ 
https://issues.apache.org/jira/browse/CXF-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed CXF-6432.
------------------------------------

> Remove default empty password in SamlTokenInterceptor 
> ------------------------------------------------------
>
>                 Key: CXF-6432
>                 URL: https://issues.apache.org/jira/browse/CXF-6432
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 2.7.16
>            Reporter: Willem Salembier
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.7.17
>
>
> Our WS client needs to generate self-signed SAML assertions. Similar to the 
> generation of X.509 message signatures, we like to centralize all key data in 
> the crypto.properties file and don't provide private key passwords using the 
> message context or callback handlers. (In absence of a password the Merlin 
> Crypto implementation takes the default property 
> org.apache.ws.security.crypto.merlin.keystore.private.password as key 
> password)
> This is not possible in the 2.7.x branch because the SamlTokenInterceptor 
> puts a default empty string password,if no password was set on the message 
> context or inside the callbackhandler.
> {code}
> if (password == null) {
>    password = "";
> }
> {code}
> https://github.com/apache/cxf/blob/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L301
> I don't really understand the intention. Could this be removed cfr the 
> cleanup in CXF 3.0?
> https://github.com/apache/cxf/blob/5faf182264c64bd3c0abc0addc9746b64492c864/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L277



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to