[jboss-jira] [JBoss JIRA] Updated: (JBID-160) IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures
Marcel Kolsteren (JIRA)
jira-events at lists.jboss.org
Sat Aug 8 07:14:29 EDT 2009
[ https://jira.jboss.org/jira/browse/JBID-160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcel Kolsteren updated JBID-160:
----------------------------------
Component/s: Identity-Federation
> IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures
> ---------------------------------------------------------------------------------------
>
> Key: JBID-160
> URL: https://jira.jboss.org/jira/browse/JBID-160
> Project: JBoss Identity
> Issue Type: Feature Request
> Components: Identity-Federation
> Affects Versions: IDFED-1.0.0.alpha4
> Reporter: Marcel Kolsteren
> Assignee: Anil Saldhana
>
> The current version of IDPWebBrowserSSOValve has a supportSignature property that controls the use of signatures. When signature support is on (which is the default), the outgoing messages are signed, while incoming messages are rejected if they don't have a valid signature.
> In the Web Browser SSO profile, where the SP is the relying party, it is very important that the SP validates the authenticity and integrity of authentication responses received from the IDP. The other way around, it is less important for the IDP to validate incoming messages. Therefore, the IDPWebBrowserSSOValve should at least have support for the situation where only the outgoing messages are signed.
> Therefore, the intention is to replace the supportSignature property with two properties:
> - ignoreIncomingSignatures (default: true)
> - signOutgoingMessages (default: true)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list