Bug 1004576 - Signed SAML assertion validation error w/ SupportingTokens only policy
Signed SAML assertion validation error w/ SupportingTokens only policy
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Services (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity unspecified
: ER7
: EAP 6.2.0
Assigned To: Alessio Soldano
Rostislav Svoboda
Russell Dickenson
:
Depends On: 1021549
Blocks: 1004624 1012664
  Show dependency treegraph
 
Reported: 2013-09-04 21:36 EDT by Kyle Lape
Modified: 2013-12-15 11:20 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1004624 (view as bug list)
Environment:
Last Closed: 2013-12-15 11:20:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache JIRA CXF-5248 None None None Never

  None (edit)
Description Kyle Lape 2013-09-04 21:36:17 EDT
I have an endpoint whose WSDL has the following policy:
<wsp:Policy wsu:Id="MyPolicy">
  <wsp:ExactlyOne>
    <wsp:All>
    <sp:SupportingTokens>
      <wsp:Policy>
        <sp:SamlToken  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
          <wsp:Policy>
            <sp:WssSamlV20Token11/>
          </wsp:Policy>
        </sp:SamlToken>
      </wsp:Policy>
    </sp:SupportingTokens>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

I've configured the client so that the provided SAML2 assertion is self signed.
The SamlTokenInterceptor deals with the request on server side; a RequestData instance is built up in 'processToken(Element tokenElement, final SoapMessage message)', but no signature crypto is configured in it. As a consequence the validation later fails in SignatureTrustValidator#validate(..) because no crypto can be retrieved.
Comment 2 Petr Sakař 2013-11-15 02:27:02 EST
For reproducer see BZ-1004624
Comment 3 Petr Sakař 2013-11-15 02:29:29 EST
Verified for EAP 6.2.0.CR1
with procedure from BZ 1004624

Note You need to log in before you can comment on or make changes to this bug.