Re: Upgrading to cxf 2.7.13 - SAMLTokenPrincipal no longer being registered as a SecurityContext

Thu, 16 Oct 2014 06:23:48 -0700 

There have been some considerable changes to SAML processing based on some
security issues that will become public soon. The security context is not
populated via unsigned SAML tokens any more (even if they are received over
TLS with client authentication). If you want to support this you will have
to override the doResults method of the WSS4JInInterceptor. If you really
want to though, we could introduce a new JAX-WS property (defaulting to
false) to all this behaviour.

Colm.

On Thu, Oct 16, 2014 at 2:02 PM, Jason Pell <[email protected]> wrote:

> All I get now is the X500Principal of the https token.
>
> My policy is below.  I am relying on the RequireClientCertificate to have
> the saml token "signed" and thus I would have expected it to be present in
> the security context.  I am at a loss as to why something like this could
> change between point releases.
>
>
>     <!-- 2.3.1.1 (WSS1.0) SAML1.1 Assertion (Bearer) -->
>     <wsp:Policy wsu:Id="TLSBearerPolicy"
>          xmlns:wsp="http://www.w3.org/ns/ws-policy";
>         xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>         xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
>
>             <wsp:All>
>                 <sp:TransportBinding>
>                     <wsp:Policy>
>                         <sp:TransportToken>
>                             <wsp:Policy>
>                                 <sp:HttpsToken>
>                                     <wsp:Policy>
>                                         <sp:RequireClientCertificate/>
>                                     </wsp:Policy>
>                                 </sp:HttpsToken>
>                             </wsp:Policy>
>                         </sp:TransportToken>
>                         <sp:AlgorithmSuite>
>                             <wsp:Policy>
>                                 <sp:Basic128 />
>                             </wsp:Policy>
>                         </sp:AlgorithmSuite>
>                         <sp:Layout>
>                             <wsp:Policy>
>                                 <sp:Strict />
>                             </wsp:Policy>
>                         </sp:Layout>
>                         <sp:IncludeTimestamp />
>                     </wsp:Policy>
>                 </sp:TransportBinding>
>
>                 <sp:SignedSupportingTokens>
>                     <wsp:Policy>
>                         <sp:SamlToken sp:IncludeToken="
>
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                             <wsp:Policy>
>                                 <sp:WssSamlV11Token11/>
>                             </wsp:Policy>
>                         </sp:SamlToken>
>                     </wsp:Policy>
>                 </sp:SignedSupportingTokens>
>             </wsp:All>
>     </wsp:Policy>
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to