Hi,
I've found a problem with WS-Policy in CXF, where it can't process a SAML
Token with the Sender Vouches confirmation method when using PublicKey
KeyType in WS-Policy.
The problem surfaces in:
org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator.checkIssuedTokenTemplate(Element,
AssertionWrapper)
When it is checking the KeyType and then it matches the "PublicKey", it
looks up the assertion subjectKeyInfo, however that is only set for the
Holder of Key scenario as seen here:
org.apache.ws.security.saml.ext.AssertionWrapper.parseHOKSubject(RequestData,
WSDocInfo)
So, potentially the solution in checkIssuedTokenTemplate could be to only
check the subjectKeyInfo for PublicKey when the confirmation method is
Holder of Key, ie:
else if (content.endsWith("PublicKey") &&
OpenSAMLUtil.isMethodHolderOfKey(confirmMethod))
Unless there is some check that should that needs to be done in the Sender
Vouches scenario?
I have attached the WS-Policy
<http://cxf.547215.n5.nabble.com/file/n5739904/DoubleItAsymmetricIssuedTokenPolicy.xml>
I am using.
Thanks,
Joel
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-Service-can-t-process-PublicKey-SAML-Sender-Vouches-IssuedToken-in-WS-Policy-tp5739904.html
Sent from the cxf-user mailing list archive at Nabble.com.
