1) Apache Santuario (XML Security for Java) 1.5.1 upgrade
WSS4J has upgraded the Santuario dependency from 1.4.6 to 1.5.1 and hence picks up the following relevant new features:
- Support for GCM algorithms has been added via a third-party JCE provider (e.g. BouncyCastle). I will describe this in more detail in a future blog post.
- Support for Key Transport Algorithms with strong digests is available.
- More secure validation of incoming signed requests is performed.
- Better protection against signature wrapping attacks is available.
2) Improvements in validating SAML Assertions
WSS4J contains the following improvements related to validating SAML Assertions:
- Validation of SAML Condition NotBefore/NotOnOrAfter dates.
- Validate the received Assertion against the schema/specs.
3) Improvements relating to certificate revocation
There are a number of fixes relating to certificate revocation: