[
https://issues.apache.org/jira/browse/CXF-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed CXF-6432.
------------------------------------
> Remove default empty password in SamlTokenInterceptor
> ------------------------------------------------------
>
> Key: CXF-6432
> URL: https://issues.apache.org/jira/browse/CXF-6432
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 2.7.16
> Reporter: Willem Salembier
> Assignee: Colm O hEigeartaigh
> Fix For: 2.7.17
>
>
> Our WS client needs to generate self-signed SAML assertions. Similar to the
> generation of X.509 message signatures, we like to centralize all key data in
> the crypto.properties file and don't provide private key passwords using the
> message context or callback handlers. (In absence of a password the Merlin
> Crypto implementation takes the default property
> org.apache.ws.security.crypto.merlin.keystore.private.password as key
> password)
> This is not possible in the 2.7.x branch because the SamlTokenInterceptor
> puts a default empty string password,if no password was set on the message
> context or inside the callbackhandler.
> {code}
> if (password == null) {
> password = "";
> }
> {code}
> https://github.com/apache/cxf/blob/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L301
> I don't really understand the intention. Could this be removed cfr the
> cleanup in CXF 3.0?
> https://github.com/apache/cxf/blob/5faf182264c64bd3c0abc0addc9746b64492c864/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java#L277
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
