[jira] [Resolved] (RAMPART-252) The way referncelist processing of SAML issued tokens doesn't work properly and algorithm validation required in PolicyBasedResultsValidator

Robert Lazarski (Jira) Wed, 10 Jun 2026 10:49:12 -0700


     [ 
https://issues.apache.org/jira/browse/RAMPART-252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Lazarski resolved RAMPART-252.
-------------------------------------
    Resolution: Fixed

  Fixed in 2.0.0 (this implements the algorithm-validation part, which 
supersedes
  RAMPART-44).

  Rampart did not verify that the algorithms used in an incoming message 
matched the
  policy's algorithm suite, so a peer could downgrade to weaker signature, 
digest,
  canonicalization, encryption or key-wrap algorithms and the message would 
still be
  accepted.

  RampartEngine now builds a WSS4J AlgorithmSuite from the policy's 
AlgorithmSuite and
  sets it on the RequestData, so WSS4J rejects a message whose algorithms are 
not those
  the policy mandates. Only the policy-defined algorithm categories are 
constrained and
  the key-length bounds keep WSS4J's defaults, so legitimate messages are 
unaffected -
  verified across the Basic128/Basic256/TripleDes-RSA15, SAML and 
SecureConversation
  integration scenarios and the nine policy samples on OpenJDK 17/21/25.

  The remaining part of this issue (SAML issued-token referencelist processing) 
depended
  on WSS4J WSS-206, which was never applied upstream, and is not addressed here.


> The way referncelist processing of SAML issued tokens doesn't work properly 
> and algorithm validation required in PolicyBasedResultsValidator
> --------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-252
>                 URL: https://issues.apache.org/jira/browse/RAMPART-252
>             Project: Rampart
>          Issue Type: Bug
>            Reporter: Prabath Siriwardena
>            Assignee: Robert Lazarski
>            Priority: Major
>              Labels: Patch
>             Fix For: 2.0.0
>
>         Attachments: patch-RAMPART-trunk.patch
>
>
> $summary.
> Related JIRA on WSS4J: WSS-206
> Thanks & regards.
> -Prabath



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Resolved] (RAMPART-252) The way referncelist processing of SAML issued tokens doesn't work properly and algorithm validation required in PolicyBasedResultsValidator

Reply via email to