You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Armour Phillip <ar...@bah.com> on 2006/10/11 03:24:23 UTC

Signing SAML assertions within a signed message

Hi,
 
I have been trying to get signed SAML assertions into a message that I
then add headers to, and sign using WSS4J 1.5.
I am using Axis 1.x (1.2.1 and 1.4) and with WSS4J 1.5 I am using
XML-Security 1.3.0 and OpenSAML, also I have java 1.4 and as a result I
have Xerces 2.8.0 and xml-apis 1.3.03 in my endorsed directory.  
 
***The Problem*** is that when I try to pass a message containing a
signed object to the handlers that add the wss security headers and sign
the whole message, I break the integrity of the internal signed object.
The exact moment this happens seems to be when an
javax.xml.rpc.handler.Handler is invoked on the message to insert the
wss headers.
 
I have come across some postings that seem to point to the same problems
I am having:
 
http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200608.mbox/%3c44D
A22A5.7040805@virginia.edu%3e
and http://www.mail-archive.com/wss4j-dev@ws.apache.org/msg01874.html
 
Like in the postings, I tried to modify
enableNamespacePrefixOptimization but it prevented my signed SOAP
messages from validation.
 
After many attempts, I have cobbled together a working demo.  The basic
strategy I have been using is to sign the assertion and message at the
same time in a handler (extends org.apache.axis.handlers.BasicHandler)
right before sending out (read: end of chain).  Then I verify both
message and internal assertion before the wss headers are modified at
all.  I have had some success with this, but I am limited by this
solution.  Additionally, I would like an easy way to use the OpenSAML
libraries to have the objects sign themselves and then not have to worry
about them being disrupted by my SOAP engine.
 
***Request for Input*** I am thinking this use case might be a lost
cause in axis1.x.  However if anyone could recommend further solutions;
including other technologies (other than axis1.4) that have been proven
to pass signed messages (and signed parts within signed messages) along
to SOAP without "mucking" with the XML I would really appreciate it.
 
At this point I am assuming this is an Axis1.x issue and not from wss4j
although if anyone has more insight on this I would be open to it.