[ https://issues.apache.org/jira/browse/WSS-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Glen Mazza updated WSS-238: --------------------------- Attachment: EncryptedDataPatch.txt Patch file. > Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references > within SOAP:body EncryptedData elements. > ------------------------------------------------------------------------------------------------------------------- > > Key: WSS-238 > URL: https://issues.apache.org/jira/browse/WSS-238 > Project: WSS4J > Issue Type: Improvement > Components: WSS4J Core > Affects Versions: 1.5.9 > Reporter: Glen Mazza > Assignee: Ruchith Udayanga Fernando > Attachments: EncryptedDataPatch.txt > > > Per CXF bug CXF-2894: http://tinyurl.com/23jx6cx > Within the soap:body/EncryptedData/SecurityTokenReference element, Glassfish > Metro is requiring wsse:KeyIdentifiers instead of wsse:Reference elements > when referring to SAML Assertions. Metro appears correct because the SAML > Token Profile does not define usage of wsse:Reference for SAML Assertions, > only KeyIdentifier or EmbeddedReference. (Section 3.3 of SAML Token Profile > of 1 Dec. 2004 pdf lines 250-272.) > The attached patch will switch SecurityTokenReference from wsse:Reference to > wsse:KeyIdentifier when handling SAML Assertions. I've confirmed Metro web > service providers will now work with this patch. However, backwards > compatibility issues with systems expecting the current wsse:Reference may > need to be taken into account. > WSS4J has another problem with not being able to decrypt SOAP responses that > use wsse:KeyIdentifier instead of wsse:Reference for SAML Assertions. > Namely, org.apache.ws.security.processor.ReferenceListProcessor's > getKeyFromSecurityTokenReference() method will need changing to be able to > work with SAML Assertions coming from a wsse:KeyIdentifier element instead of > wsse:Reference. I was not immediately successful in getting this second part > to work because I could not see how a SAMLTokenProcessor can be initialized > from a KeyIdentifier instead of the Reference element within this method. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org For additional commands, e-mail: wss4j-dev-h...@ws.apache.org