You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Håkon Sagehaug <Ha...@bccs.uib.no> on 2009/05/06 10:57:55 UTC
Re: Checking of SAML token from sts
Hi all,
Is there some answers to this question? Do one have to create a own SAML
checker or something, that uses the SAMLAssertion#validate method? I would
really like to know. As far as I can see the only check that is done now is
to see if a SAMLAssertion object can be created. Is that correct?
cheers, Håkon
2009/4/29 Håkon Sagehaug <Ha...@bccs.uib.no>
> Hi
>
> I was just wondering when using a sts service to issue a SAML token and
> this need to be checked at the end service, to see that it's sts that have
> signed the message, what class is doing the checking is it the SAML
> processor in wss4j or some other class?
>
> Also is there some plan of adding/implementing/exchange the SAML1 issuer
> with a SAML 2 issuer.
>
> cheers, Håkon
>
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Re: Checking of SAML token from sts
Posted by Håkon Sagehaug <Ha...@bccs.uib.no>.
Hi
I made a little metod for checking the signatue
private boolean chechSAMLSignature(SAMLAssertion assertion, String
certAlias) {
Crypto crypto = CryptoFactory.getInstance("service.properties",
msgCtx
.getAxisService().getClassLoader());
try {
X509Certificate[] certificates =
crypto.getCertificates(certAlias);
PublicKey stsPublicKey = certificates[0].getPublicKey();
assertion.verify(stsPublicKey);
return true;
} catch (WSSecurityException e) {
e.printStackTrace();
return false;
} catch (SAMLException e) {
e.printStackTrace();
return false;
}
}
I looked briefly at the SAMLTokenProcessor but not quite sure where it fits
in, I'll have a closer look to it. Now I can easily supplay the cert alias
for the sts but do you know how to do it in a better fashion, or should one
just iterate over all the certificates in the trust store?
cheers, Håkon
cheers, Håkon
2009/5/6 Nandana Mihindukulasooriya <na...@gmail.com>
> Yes, SAML token is processed by
> org.apache.ws.security.processor.SAMLTokenProcessor class in WSS4J. That
> needs to improved to check the signature and the other conditions. OpenSAML
> aleady have an API to do this, it won't be a very hard thing to do. It will
> be great if you can submit a patch to do that for WSS4J. I have done some
> work on SAML2 issuer in Rampart but those are still progress. I am planning
> to finish them as soon I get some free time.
>
> thanks,
> Nandana
>
> 2009/5/6 Håkon Sagehaug <Ha...@bccs.uib.no>
>
> > Hi all,
> >
> > Is there some answers to this question? Do one have to create a own SAML
> > checker or something, that uses the SAMLAssertion#validate method? I
> would
> > really like to know. As far as I can see the only check that is done now
> is
> > to see if a SAMLAssertion object can be created. Is that correct?
> >
> > cheers, Håkon
> >
> > 2009/4/29 Håkon Sagehaug <Ha...@bccs.uib.no>
> >
> > > Hi
> > >
> > > I was just wondering when using a sts service to issue a SAML token and
> > > this need to be checked at the end service, to see that it's sts that
> > have
> > > signed the message, what class is doing the checking is it the SAML
> > > processor in wss4j or some other class?
> > >
> > > Also is there some plan of adding/implementing/exchange the SAML1
> issuer
> > > with a SAML 2 issuer.
> > >
> > > cheers, Håkon
> > >
> > > --
> > > Håkon Sagehaug, Scientific Programmer
> > > Parallab, Bergen Center for Computational Science (BCCS)
> > > UNIFOB AS (University of Bergen Research Company)
> > >
> >
> >
> >
> > --
> > Håkon Sagehaug, Scientific Programmer
> > Parallab, Bergen Center for Computational Science (BCCS)
> > UNIFOB AS (University of Bergen Research Company)
> >
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Re: Checking of SAML token from sts
Posted by Håkon Sagehaug <Ha...@bccs.uib.no>.
Hi
To you have a time frame when the SAML 2 issuer will be completed?
cheers ,Håkon
2009/5/6 Nandana Mihindukulasooriya <na...@gmail.com>
> Yes, SAML token is processed by
> org.apache.ws.security.processor.SAMLTokenProcessor class in WSS4J. That
> needs to improved to check the signature and the other conditions. OpenSAML
> aleady have an API to do this, it won't be a very hard thing to do. It will
> be great if you can submit a patch to do that for WSS4J. I have done some
> work on SAML2 issuer in Rampart but those are still progress. I am planning
> to finish them as soon I get some free time.
>
> thanks,
> Nandana
>
> 2009/5/6 Håkon Sagehaug <Ha...@bccs.uib.no>
>
> > Hi all,
> >
> > Is there some answers to this question? Do one have to create a own SAML
> > checker or something, that uses the SAMLAssertion#validate method? I
> would
> > really like to know. As far as I can see the only check that is done now
> is
> > to see if a SAMLAssertion object can be created. Is that correct?
> >
> > cheers, Håkon
> >
> > 2009/4/29 Håkon Sagehaug <Ha...@bccs.uib.no>
> >
> > > Hi
> > >
> > > I was just wondering when using a sts service to issue a SAML token and
> > > this need to be checked at the end service, to see that it's sts that
> > have
> > > signed the message, what class is doing the checking is it the SAML
> > > processor in wss4j or some other class?
> > >
> > > Also is there some plan of adding/implementing/exchange the SAML1
> issuer
> > > with a SAML 2 issuer.
> > >
> > > cheers, Håkon
> > >
> > > --
> > > Håkon Sagehaug, Scientific Programmer
> > > Parallab, Bergen Center for Computational Science (BCCS)
> > > UNIFOB AS (University of Bergen Research Company)
> > >
> >
> >
> >
> > --
> > Håkon Sagehaug, Scientific Programmer
> > Parallab, Bergen Center for Computational Science (BCCS)
> > UNIFOB AS (University of Bergen Research Company)
> >
>
>
>
> --
> Nandana Mihindukulasooriya
> WSO2 inc.
>
> http://nandana83.blogspot.com/
> http://www.wso2.org
>
--
Håkon Sagehaug, Scientific Programmer
Parallab, Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)
Re: Checking of SAML token from sts
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Yes, SAML token is processed by
org.apache.ws.security.processor.SAMLTokenProcessor class in WSS4J. That
needs to improved to check the signature and the other conditions. OpenSAML
aleady have an API to do this, it won't be a very hard thing to do. It will
be great if you can submit a patch to do that for WSS4J. I have done some
work on SAML2 issuer in Rampart but those are still progress. I am planning
to finish them as soon I get some free time.
thanks,
Nandana
2009/5/6 Håkon Sagehaug <Ha...@bccs.uib.no>
> Hi all,
>
> Is there some answers to this question? Do one have to create a own SAML
> checker or something, that uses the SAMLAssertion#validate method? I would
> really like to know. As far as I can see the only check that is done now is
> to see if a SAMLAssertion object can be created. Is that correct?
>
> cheers, Håkon
>
> 2009/4/29 Håkon Sagehaug <Ha...@bccs.uib.no>
>
> > Hi
> >
> > I was just wondering when using a sts service to issue a SAML token and
> > this need to be checked at the end service, to see that it's sts that
> have
> > signed the message, what class is doing the checking is it the SAML
> > processor in wss4j or some other class?
> >
> > Also is there some plan of adding/implementing/exchange the SAML1 issuer
> > with a SAML 2 issuer.
> >
> > cheers, Håkon
> >
> > --
> > Håkon Sagehaug, Scientific Programmer
> > Parallab, Bergen Center for Computational Science (BCCS)
> > UNIFOB AS (University of Bergen Research Company)
> >
>
>
>
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>
--
Nandana Mihindukulasooriya
WSO2 inc.
http://nandana83.blogspot.com/
http://www.wso2.org