Bug 1004576 - Signed SAML assertion validation error w/ SupportingTokens only policy
Summary: Signed SAML assertion validation error w/ SupportingTokens only policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Services
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER7
: EAP 6.2.0
Assignee: Alessio Soldano
QA Contact: Rostislav Svoboda
Russell Dickenson
URL:
Whiteboard:
Depends On: 1021549
Blocks: 1004624 1012664
TreeView+ depends on / blocked
 
Reported: 2013-09-05 01:36 UTC by Kyle Lape
Modified: 2013-12-15 16:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1004624 (view as bug list)
Environment:
Last Closed: 2013-12-15 16:20:04 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA CXF-5248 0 None None None Never

Description Kyle Lape 2013-09-05 01:36:17 UTC 
I have an endpoint whose WSDL has the following policy:
<wsp:Policy wsu:Id="MyPolicy">
  <wsp:ExactlyOne>
    <wsp:All>
    <sp:SupportingTokens>
      <wsp:Policy>
        <sp:SamlToken  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
          <wsp:Policy>
            <sp:WssSamlV20Token11/>
          </wsp:Policy>
        </sp:SamlToken>
      </wsp:Policy>
    </sp:SupportingTokens>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

I've configured the client so that the provided SAML2 assertion is self signed.
The SamlTokenInterceptor deals with the request on server side; a RequestData instance is built up in 'processToken(Element tokenElement, final SoapMessage message)', but no signature crypto is configured in it. As a consequence the validation later fails in SignatureTrustValidator#validate(..) because no crypto can be retrieved.
Comment 2 Petr Sakař 2013-11-15 07:27:02 UTC 
For reproducer see BZ-1004624
Comment 3 Petr Sakař 2013-11-15 07:29:29 UTC 
Verified for EAP 6.2.0.CR1
with procedure from BZ 1004624
Note You need to log in before you can comment on or make changes to this bug.