I have a working service configured in CXF that sends an outgoing signed
SAML token. While configuring a client interceptor (WSS4JInInerceptor in
CXF) I was getting some exceptions. I noticed that the interceptor calls
checkReceiverResults() in WSHandler.java and my actions were not matching
the wsResults in the vector. After further digging I found that in
SAMLTokenProcessor handleToken() the vector wsResults is added with
returnResults.add(
0,
new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, assertion)
);
Is there a reason why WSConstants.ST_SIGNED is not also used?
I ask because when I configured the client I used the corresponding action
WSHandlerConstants.SAML_TOKEN_SIGNED but this does not work and I had to
change it to WSHandlerConstants.SAML_TOKEN_UNSIGNED. The CXF interceptor
has and ignore actions flag which by passes this check. Is it a ws-sec
specification violation not to check these results?
thanks
