[
https://issues.apache.org/jira/browse/WSS-90?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12694953#action_12694953
]
Colm O hEigeartaigh commented on WSS-90:
----------------------------------------
The above code is for processing holder-of-key assertions, where the spec
mandates that a KeyInfo element is required for SubjectConfirmation, so marking
this as in-valid.
> SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation
> element doesn't have KeyInfo child
> ----------------------------------------------------------------------------------------------------------
>
> Key: WSS-90
> URL: https://issues.apache.org/jira/browse/WSS-90
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: Windows XP, Axis2 1.3, WSS4J 1.5.3,
> Reporter: Murali Gunasekaran
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Fix For: 1.5.7, 1.6
>
>
> The SAML Core 1.1 specification mentions that the <ds:KeyInfo> element is
> optional under the <SubjectConfirmation> element (under <Subject>).
> The following call fails when the incoming SAML assertion contains a
> <subjectconfirmation> element without a KeyInfo child element:
> Element e = samlSubj.getKeyInfo(); [ Line 122]
> X509Certificate[] certs = null;
> try {
> KeyInfo ki = new KeyInfo(e, null);
> The constructor KeyInfo(e, null) fails and throws a XMLSecurityException when
> e is null (which is true when samlSubj.getKeyInfo() returns null)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
For additional commands, e-mail: wss4j-dev-h...@ws.apache.org
