[
https://issues.apache.org/jira/browse/CXF-4655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved CXF-4655.
--------------------------------------
Resolution: Fixed
> Enforce SAML SubjectConfirmation requirements for the non WS-SecurityPolicy
> case
> --------------------------------------------------------------------------------
>
> Key: CXF-4655
> URL: https://issues.apache.org/jira/browse/CXF-4655
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 2.5.6, 2.6.3, 2.7.0
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 2.5.7, 2.6.4, 2.7.1
>
>
> If using WS-SecurityPolicy, Subject Confirmation requirements are enforced on
> SAML Tokens. So for HolderOfKey, the subject credential of the SAML Assertion
> must have been used to sign some portion of the message, or else must match a
> client certificate if 2-way TLS is used. For SenderVouches, the SAML
> Assertion and SOAP Body must be signed by the same credential (TLS or message
> level).
> However, this is not enforced for the non WS-SecurityPolicy approach, which
> uses simple WSS4J actions. This task is to add this support to CXF. It will
> be enabled by default in CXF 2.7.1, but disabled by default in CXF 2.5.6 and
> 2.6.4. It is configurable via the jaxws property
> SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION
> ("ws-security.validate.saml.subject.conf").
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
