Hi Joel, CXF 2.7.x does not support processing a SAML sender-vouches Assertion as part of an IssuedToken policy. However, this is currently supported on CXF trunk if you want to try with CXF 3.0.0-SNAPSHOT. I don't want to backport any of the changes for fear of breaking backwards compatibility for other scenarios.
Colm. On Thu, Feb 13, 2014 at 2:28 AM, bimjoeipa <[email protected]>wrote: > Hi, > > I've found a problem with WS-Policy in CXF, where it can't process a SAML > Token with the Sender Vouches confirmation method when using PublicKey > KeyType in WS-Policy. > > The problem surfaces in: > > org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator.checkIssuedTokenTemplate(Element, > AssertionWrapper) > > When it is checking the KeyType and then it matches the "PublicKey", it > looks up the assertion subjectKeyInfo, however that is only set for the > Holder of Key scenario as seen here: > > org.apache.ws.security.saml.ext.AssertionWrapper.parseHOKSubject(RequestData, > WSDocInfo) > > So, potentially the solution in checkIssuedTokenTemplate could be to only > check the subjectKeyInfo for PublicKey when the confirmation method is > Holder of Key, ie: > > else if (content.endsWith("PublicKey") && > OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) > > Unless there is some check that should that needs to be done in the Sender > Vouches scenario? > > I have attached the WS-Policy > < > http://cxf.547215.n5.nabble.com/file/n5739904/DoubleItAsymmetricIssuedTokenPolicy.xml > > > I am using. > > Thanks, > > Joel > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-Service-can-t-process-PublicKey-SAML-Sender-Vouches-IssuedToken-in-WS-Policy-tp5739904.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
