[jboss-identity-issues] [JBoss JIRA] Created: (JBID-160) IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures

IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures --------------------------------------------------------------------------------------- Key: JBID-160 URL: https://jira.jboss.org/jira/browse/JBID-160 Project: JBoss Identity Issue Type: Feature Request Affects Versions: IDFED-1.0.0.alpha4 Reporter: Marcel Kolsteren Assignee: Anil Saldhana The current version of IDPWebBrowserSSOValve has a supportSignature property that controls the use of signatures. When signature support is on (which is the default), the outgoing messages are signed, while incoming messages are rejected if they don't have a valid signature. In the Web Browser SSO profile, where the SP is the relying party, it is very important that the SP validates the authenticity and integrity of authentication responses received from the IDP. The other way around, it is less important for the IDP to validate incoming messages. Therefore, the IDPWebBrowserSSOValve should at least have support for the situation where only the outgoing messages are signed. Therefore, the intention is to replace the supportSignature property with two properties: - ignoreIncomingSignatures (default: true) - signOutgoingMessages (default: true) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira