OIOSAML for Java release 2.0.3 has been made available. This release
contains the following changes
- Fixed a NPE when using a custom Logger implementation
- Added support for eID during metadata generation - the
configuration wizard supports generating eID gateway compatible SAML metadata
- Fixed a NPE in the configuration wizard, that shadowed a
wrong-password error message on the uploaded keystore
- Fixed a special case where the SHA-256 signature configuration
would be overwritten by a 3rd party library (see more below)
This version is especially important for users that use OIOSAML
together with older versions of the CXF webservice framework, and who
wish to use rsa-sha256 as the signature algorithm.
The CXF framework (up to at least the 3.0.x release branch) will
perform a reset of the OpenSAML frameworks configuration when the
first webservice call is performed. This reset will configure OpenSAML
to use rsa-sha1 as the signature algorithm, and as OIOSAML relies on
OpenSAMLs configuration for certain signatures, this can potentially
cause OIOSAML to revert back to rsa-sha1 instead of rsa-sha256.
Note that this issue only happens when the following is true
- OIOSAML is used together with CXF version 3.0.x or earlier
- OIOSAML is configured to use rsa-sha256 as the signature algorithm
- No webservice calls are made, using CXF, until AFTER the first
user has logged in using OIOSAML
In this specific case, OIOSAML will use rsa-sha1 (instead of the
configured rsa-sha256) AFTER the first CXF webservice call.
This version fixes this issue, by ensuring that rsa-sha256 is used,
even if CXF performs a reset of the OpenSAML configuration.
The code is still available through Softwarebørsen SVN, and can be
The binary artifacts are distributed as Maven dependencies, and can
be located here