[ https://issues.apache.org/jira/browse/CXF-7088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15575527#comment-15575527 ]
Colm O hEigeartaigh commented on CXF-7088: ------------------------------------------ It looks like this is a bug in CXF. From the spec for EncryptedParts: The EncryptedParts assertion is used to specify the parts of the message that require confidentiality. This assertion can be satisfied with WSS: SOAP Message Security mechanisms or by mechanisms out of scope of SOAP message security, for example by sending the message over a secure transport protocol like HTTPS. This is the logic CXF follows. However, for the tokens it appears like the tokens themselves should be encrypted instead. > SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being > accepted > ---------------------------------------------------------------------------------- > > Key: CXF-7088 > URL: https://issues.apache.org/jira/browse/CXF-7088 > Project: CXF > Issue Type: Bug > Affects Versions: 3.0.6 > Reporter: Grzegorz Maczuga > Assignee: Colm O hEigeartaigh > Attachments: messageNoEncryption.txt, message_anonymous.txt, > policy.txt > > > In WS-Policy that is used by service we have defined > <SignedEncryptedSupportingTokens/> > Some people say that WS-SecurityPolicy 1.2 imply that also SAML assertion > that is inside WS-Security section of the message SOAP Header should be > encrypted (not only signed). > Message with SAML that is NOT encrypted is currently accepted by CXF even > while policy defines <SignedEncryptedSupportingTokens/> > Question is: does SAML assertion fall into "SupportingTokens" category and > should be encrypted as well? > What is your view on that? Is that a bug in Neethi? > See > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826566 > Signed, encrypted supporting tokens are Signed supporting tokens (See section > 8.2) that are also encrypted when they appear in the wsse:SecurityHeader. > Element Encryption SHOULD be used for encrypting the supporting tokens. > The syntax for the sp:SignedEncryptedSupportingTokens differs from the syntax > of sp:SignedSupportingTokens only in the name of the assertion itself. All > nested policy is as per the sp:SignedSupportingTokens assertion. -- This message was sent by Atlassian JIRA (v6.3.4#6332)