[
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16742394#comment-16742394
]
Colm O hEigeartaigh commented on CXF-7941:
------------------------------------------
CXF/WSS4J SAML trust verification should work fine with BinarySecurityTokens
containing X.509 certs. What I don't understand is how you are getting to
Merlin.verifyTrust(PublicKey) though if you are using a certificate. Could you
post a sample of a SOAP Reuqest that is causing the problem? You can sanitise
any sensitive information from it. Also a stacktrace from Merlin.verifyTrust
would be helpful.
> SamlValidator does not work with chain trust
> --------------------------------------------
>
> Key: CXF-7941
> URL: https://issues.apache.org/jira/browse/CXF-7941
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.2.7
> Reporter: Tomas Vanhala
> Priority: Major
> Attachments: cxf7941.zip
>
>
> As explained here
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
> WSS4J supports specifying constraints on the subject DN of the certificate
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to
> sign the requests from the Merlin trust store, and setting an appropriate
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to
> handle a scenario where the certificate used to sign the requests is not in
> the trust store. The problem seems to be in the method
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by
> including the needed PKI code in a customised SamlValidator, but we would
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
