Hi Dan, So the Subject of the SAML Assertion has a KeyInfo that contains a SecurityTokenReference as a child element? I haven't come across this, but if that's what a .NET STS is producing then it's something we'd want to be able to process correctly. Could you create a new JIRA here + add the SAML Assertion that's causing the problem, and I'll take it from there?
https://issues.apache.org/jira/browse/WSS Colm. On Tue, Jun 12, 2012 at 9:43 PM, DTaylor <[email protected]> wrote: > Good day all, > > I understand this is more of a WSS4J question, however I was unable to find > the WSS4J users list and it occurs when trying to do .NET and Java interop > using CXF. > > Our setup is a .NET client to a .NET STS to a Java Service. > > Things are going well, until we receive the token in the CXF framework at > the service point. > By debugging down through the code, we hit the WSS4J > SAMLUtil.getCredentialFromKeyInfo method. > > keyInfoElement.getFirstChild() returns the SecurityTokenReference element, > which has as its first child an X509Data element. > > The first loop correctly determines that no EncryptedKey or BinarySecret is > present. The second loop, determines the first child of keyInfo is not an > X509Data or PublicKey, however the SecurityTokenReference, which is the > element being inspected, contains the X509Data. > > From *WSS X.509 Certificate Token Profile, section 3.2*: > > In order to ensure a consistent processing model across all the token types > supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> > element SHALL be used to specify all references to X.509 token types in > signature or encryption elements that comply with this profile. > > Is this a bug in WSS4J? Or have we misconfigured something? If it is a > bug, > am I better off submitting the bug or creating a patch and test to submit > to > WSS4J? > > Thanks, > > Dan. > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Issue-with-SecurityReferenceToken-handling-tp5709621.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
