ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Created] (WSS-479) Inbound streaming does not handle Symmetric Holder-Of-Key correctly
Date Mon, 07 Oct 2013 13:15:42 GMT
Colm O hEigeartaigh created WSS-479:

             Summary: Inbound streaming does not handle Symmetric Holder-Of-Key correctly
                 Key: WSS-479
             Project: WSS4J
          Issue Type: Bug
            Reporter: Colm O hEigeartaigh
            Assignee: Marc Giger
             Fix For: 2.0

The streaming code has a problem when processing a request which contains a Holder-of-key
SAML Assertion with a Subject which has an EncryptedKey in the KeyInfo, and a Signature in
the security header which uses HMAC + points to the SAML Assertion.

The following code in SecurityTokenFactoryImpl:

if (keyInfoType != null) {
            final SecurityTokenReferenceType securityTokenReferenceType
                    = XMLSecurityUtils.getQNameType(keyInfoType.getContent(), WSSConstants.TAG_wsse_SecurityTokenReference);

... bypasses the EncryptedKey, and instead only returns a SecurityToken of the (encrypting)
certificate. Instead it should detect that the immediate child of KeyInfo is an EncryptedKey
+ process this accordingly.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message