[jira] [Resolved] (RAMPART-302) KeyInfo is extracted from a SAML token assuming that only an authentication statement or an attribute statement can be present in SAML token

Robert Lazarski (Jira) Tue, 09 Jun 2026 19:28:10 -0700


     [ 
https://issues.apache.org/jira/browse/RAMPART-302?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Lazarski resolved RAMPART-302.
-------------------------------------
    Resolution: Fixed

  Fixed in 2.0.0 as part of the OpenSAML 5.x / WSS4J 4.x migration 
(RAMPART-454).

  The original code extracted the proof key from a SAML token assuming the 
assertion
  contained only an AttributeStatement or AuthenticationStatement. That logic 
has been
  removed. Proof-key/KeyInfo extraction now works as follows:

  - SAML 1.1: SAML1AssertionHandler.getAssertionKeyInfoSecret() delegates to 
WSS4J's
    org.apache.wss4j.common.saml.SAMLUtil.getCredentialFromSubject(Assertion, 
...),
    which iterates all statements and obtains the Subject from 
AttributeStatement,
    AuthenticationStatement and AuthorizationDecisionStatement alike (all SAML 
1.1
    subject-bearing statement types), so it no longer depends on which 
statement type
    carries the subject.

  - SAML 2.0: the subject is read from Assertion.getSubject() at the assertion 
level
    (SAML2Utils.getSAML2KeyInfo), where SAML 2.0 places it, so the 
statement-type
    assumption does not apply.

  No Rampart code remains that derives the key from an assumed statement type. 
Verified
  against the current source; the rampart-trust SAML token tests pass under a 
full
  'mvn verify -Papache-release' on OpenJDK 17/21/25.

> KeyInfo is extracted from a SAML token assuming that only an authentication 
> statement or an attribute statement can be present in  SAML token
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-302
>                 URL: https://issues.apache.org/jira/browse/RAMPART-302
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-trust
>    Affects Versions: 1.4
>            Reporter: Thilina Mahesh Buddhika
>            Assignee: Robert Lazarski
>            Priority: Major
>             Fix For: 2.0.0
>
>
> WS Trust implementation assumes that, only an attribute statement or 
> authentication statement can be present in a SAML token. It extracts the key 
> information from a SAML token based on this assumption. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Resolved] (RAMPART-302) KeyInfo is extracted from a SAML token assuming that only an authentication statement or an attribute statement can be present in SAML token

Reply via email to