Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-794

Signature validation fails when using SAML token.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Deferred
    • Affects Version/s: 2.1 GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      Validation of SAML assertions results in an error in the verifyCertificateTrust() method because this method assumes that signatures are always signed by an X509 certificate. The SAML spec gives an example of a signature that uses the SAML assertion to sign the signature in section 3.5.1.4 Example V2.0 from http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf. After checking "if (actionResult != null)" the type of token(X509, public key, or SAML) used for the signature should be determined and trust should be verified accordingly. The name of the method should probably be changed to since it would be verifying trust on more than just certificates.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jaminh jaminh
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: