[jboss-jira] [JBoss JIRA] Assigned: (JBID-160) IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Mon Aug 10 15:19:29 EDT 2009 

     [ https://jira.jboss.org/jira/browse/JBID-160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anil Saldhana reassigned JBID-160:
----------------------------------

    Assignee: Marcel Kolsteren  (was: Anil Saldhana)


> IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures
> ---------------------------------------------------------------------------------------
>
>                 Key: JBID-160
>                 URL: https://jira.jboss.org/jira/browse/JBID-160
>             Project: JBoss Identity
>          Issue Type: Feature Request
>          Components: Identity-Federation
>    Affects Versions: IDFED-1.0.0.alpha4
>            Reporter: Marcel Kolsteren
>            Assignee: Marcel Kolsteren
>             Fix For: IDFED-1.0.0.beta1
>
>
> The current version of IDPWebBrowserSSOValve has a supportSignature property that controls the use of signatures. When signature support is on (which is the default), the outgoing messages are signed, while incoming messages are rejected if they don't have a valid signature.
> In the Web Browser SSO profile, where the SP is the relying party, it is very important that the SP validates the authenticity and integrity of authentication responses received from the IDP. The other way around, it is less important for the IDP to validate incoming messages. Therefore, the IDPWebBrowserSSOValve should at least have support for the situation where only the outgoing messages are signed.
> Therefore, the intention is to replace the supportSignature property with two properties:
> - ignoreIncomingSignatures (default: true)
> - signOutgoingMessages (default: true)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list