[
https://issues.apache.org/jira/browse/WSS-443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13662891#comment-13662891
]
Colm O hEigeartaigh commented on WSS-443:
-----------------------------------------
Hi Marc,
The spec also says (8.3):
"If transport security is used, the signature (Sig2) MUST cover the message
timestamp as illustrated"
So in this case, the key associated with the Subject of the SAML Token is used
to sign the message Timestamp.
Colm.
> Treat tokens received over TLS as "encrypted"
> ---------------------------------------------
>
> Key: WSS-443
> URL: https://issues.apache.org/jira/browse/WSS-443
> Project: WSS4J
> Issue Type: Bug
> Reporter: Colm O hEigeartaigh
> Assignee: Marc Giger
> Fix For: 2.0
>
>
> The streaming WS-Security code treats a UsernameToken received over TLS as a
> SignedSupportingToken. However, it doesn't treat it in the same way for
> encryption.
> In other words, a UsernameToken received over TLS should satisfy a
> SignedEncryptedSupportingToken requirement.
> Clarification: This seems to work when the policy is that of
> EncryptedSupportingToken, but not that of a SignedEncryptedSupportingToken.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
