[jira] [Commented] (CXF-7941) SamlValidator does not work with chain trust

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (CXF-7941) SamlValidator does not work with chain trust

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16740545#comment-16740545 ]

Colm O hEigeartaigh commented on CXF-7941:

I need more information to try and diagnose what the issue is. A test-case to reproduce the problem would be ideal. Failing that, what does the KeyInfo of the Signature on the Assertion look like. Are you sure the corresponding issuing certificate is in the truststore? What does your WSS4J/CXF security configuration look like? What code did youhave to add to the customised validator to get it to work?

> SamlValidator does not work with chain trust
> --------------------------------------------
>                 Key: CXF-7941
>                 URL: https://issues.apache.org/jira/browse/CXF-7941
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.7
>            Reporter: Tomas Vanhala
>            Priority: Major
> As explained here [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,] WSS4J supports specifying constraints on the subject DN of the certificate used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to sign the requests from the Merlin trust store, and setting an appropriate Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to handle a scenario where the certificate used to sign the requests is not in the trust store. The problem seems to be in the method findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by including the needed PKI code in a customised SamlValidator, but we would rather not go this route.
> Please fix chain trust in WSS4J SAML validation.

This message was sent by Atlassian JIRA