[WSS-479] Inbound streaming does not handle Symmetric Holder-Of-Key correctly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.0
Component/s: None
Labels:
None

Description

The streaming code has a problem when processing a request which contains a Holder-of-key SAML Assertion with a Subject which has an EncryptedKey in the KeyInfo, and a Signature in the security header which uses HMAC + points to the SAML Assertion.

The following code in SecurityTokenFactoryImpl:

if (keyInfoType != null) {
final SecurityTokenReferenceType securityTokenReferenceType
= XMLSecurityUtils.getQNameType(keyInfoType.getContent(), WSSConstants.TAG_wsse_SecurityTokenReference);

... bypasses the EncryptedKey, and instead only returns a SecurityToken of the (encrypting) certificate. Instead it should detect that the immediate child of KeyInfo is an EncryptedKey + process this accordingly.

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Colm O hEigeartaigh

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Oct/13 13:13

Updated:: 06/May/14 09:10

Resolved:: 15/Oct/13 13:39