Receiving SAML sender-vouches generates WSSecurityException
-----------------------------------------------------------
Key: RAMPART-112
URL: https://issues.apache.org/jira/browse/RAMPART-112
Project: Rampart
Issue Type: Bug
Components: rampart-core
Affects Versions: 1.3
Reporter: Steve LeGault
Post processing of SAML WSSecurityEngineResults assumes that the SAML Assertion
is "holder-of-keys". The following code in RampartEngine.java should be
bypassed in the case of "sender-vouches":
String id = assertion.getId();
Date created = assertion.getNotBefore();
Date expires = assertion.getNotOnOrAfter();
SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(assertion,
signatureCrypto, tokenCallbackHandler);
try {
TokenStorage store = rmd.getTokenStorage();
if(store.getToken(id) == null) {
Token token = new Token(id,
(OMElement)assertion.toDOM(), created, expires);
token.setSecret(samlKi.getSecret());
store.add(token);
}
} catch (Exception e) {
throw new RampartException(
"errorInAddingTokenIntoStore", e);
}
Generating a "sender-vouches" with Axis2 causes an exception here (also because
of WSS4J issue WSS-90) if the same message is sent into Axis2.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
