[
https://issues.apache.org/jira/browse/CXF-7013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15434778#comment-15434778
]
Colm O hEigeartaigh commented on CXF-7013:
------------------------------------------
What's happening here is that WSS4J is querying a CallbackHandler for a secret
key associated with the Subject of the Assertion. It creates a
WSPasswordCallback using the SAML Assertion Id and the usage
"WSPasswordCallback.SECRET_KEY". So if you want to handle this in your
CallbackHandler, then simply check the WSPasswordCallback usage and handle it
accordingly, otherwise ignore. To avoid confusing logging, you can just log in
the usage for "USERNAME_TOKEN".
Colm.
> SAML token using ws-security.callback-handler as for UT with ID attribute
> value
> -------------------------------------------------------------------------------
>
> Key: CXF-7013
> URL: https://issues.apache.org/jira/browse/CXF-7013
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.6
> Reporter: Grzegorz Maczuga
> Assignee: Colm O hEigeartaigh
> Priority: Minor
>
> Processing of SAML token results in call of configured
> ws-security.callback-handler same as for Username Token.
> When CXF receives (no UT in it):
> <wss:Security>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="Abc-1" IssueInstant="2016-08-16T08:13:47Z" Version="2.0">
> <saml:Issuer
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=user</saml:Issuer>
> <saml:Subject>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">some_name</saml:NameID>
> ...
> </wss:Security>
> it calls configured:
> ws-security.callback-handler=com.SecurityCallback
> with ID="Abc-1" from above Security section as username.
> Ignoring this and moving on has no impact on processing SAML token but if
> SecurityCallback does some funny stuff (or at list logging) for each received
> UT it is really confusing.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
