You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Rami Jaamour <rj...@parasoft.com> on 2004/12/27 20:29:58 UTC
Re: AW: AW: [WSS4J] SAML support
Where is the code which determines whether to accept or reject a SAML
assertion on the receiver side? WSSecurityEngine#handleSAMLToken(Element
token) does not seem to validate the values in the assertion, is the
OpenSAML code or WSS4J code supposed to do this? I am trying to build a
scenario with an authentication statement (and later authorization and
attributes) and my service is currently accepting any SAML
authentication statement it gets, regardless of what is the subject name
identifier. Is the SAML properties file only used for generating the
saml tokens? How do I implement a receiver service which only accepts
valid saml tokens and have my application respond based on these tokens?
Rami Jaamour
Software Engineer
Web Services Solutions
Parasoft Corporation
"We Make Software Work"
Dittmann Werner wrote:
>Atul,
>
>also receiver side is implemented, however, on
>the receiver side the WSDoAllReceiver has not
>much to do with it. Pls have a look at the
>WSSecurityEngine module. It deals to decode
>the SAML part and perform the key/certificate
>handling.
>
>Regards,
>Werner
>
>
>
>>-----Ursprüngliche Nachricht-----
>>Von: atul [mailto:techatool@yahoo.com]
>>Gesendet: Mittwoch, 4. August 2004 09:22
>>An: Dittmann Werner
>>Cc: fx-dev@ws.apache.org
>>Betreff: Re: AW: [WSS4J] SAML support
>>
>>
>>Werner,
>>Which parts specifically has been implemented or not
>>implemented?
>>It looks like it has saml assertion generation (the
>>sender side WSDoAllSender) implemented but not the
>>receiver side (WSDoAllReceiver). Any specific reasons
>>for holding it off (like specs not ready or resources)
>>or is it in the works?
>>Any detailed info on it is greatly appreciated.
>>
>>thanks
>>atul.
>>
>>
>>--- Dittmann Werner <we...@siemens.com>
>>wrote:
>>
>>
>>
>>>There is only a basic SAML support built in, no
>>>interop
>>>tests so far.
>>>
>>>Pls have a look at the SAML interop tests, no other
>>>docs yet (because its not fully supported).
>>>
>>>Regards,
>>>Werner
>>>
>>>
>>>
>>>>-----Ursprüngliche Nachricht-----
>>>>Von: atul [mailto:techatool@yahoo.com]
>>>>Gesendet: Dienstag, 3. August 2004 18:56
>>>>An: fx-dev@ws.apache.org
>>>>Betreff: [WSS4J] SAML support
>>>>
>>>>
>>>>Does the latest wss4j build fully support the SAML
>>>>profile of WSS spec? Do we have any document
>>>>explaining it?
>>>>
>>>>thx
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>__________________________________
>>>>Do you Yahoo!?
>>>>New and Improved Yahoo! Mail - 100MB free storage!
>>>>http://promotions.yahoo.com/new_mail
>>>>
>>>>
>>>>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>Yahoo! Mail is new and improved - Check it out!
>>http://promotions.yahoo.com/new_mail
>>
>>
>>
>
>
>
Re: AW: AW: [WSS4J] SAML support
Posted by Ashok Shah <as...@sfu.ca>.
Rami,
The WSS4J code only verifies the signature of the signed attributes, and
decryptes if its encrypted. the results are then added to the "wsResult"
vector. In WSDoAllReceiver.java you could fetch the SAML action
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(wsResult, WSConstants.ST_UNSIGNED);
I think the validation of the SAML Assertions is a bit more complicated
then we would anticipate. I was looking into the SAML validations,
figured at some point we need to convert the SAML Assertions into XACML
format. (Only the latest version of XACML is compatable with SAML) and
use the XACML verification techniques. Our requirements were
application based, HTTP was not involved.
For now I got away by just passing the SAML Assertion in the msgContext
object. Our requirements dictate that SAML Attributes be availabel to
the service end point to make its own decision. The "accept/reject"
approach seems too restrictive.
Please correct me if I am wrong.
Ashok.
Rami Jaamour wrote:
> Where is the code which determines whether to accept or reject a SAML
> assertion on the receiver side?
> WSSecurityEngine#handleSAMLToken(Element token) does not seem to
> validate the values in the assertion, is the OpenSAML code or WSS4J
> code supposed to do this? I am trying to build a scenario with an
> authentication statement (and later authorization and attributes) and
> my service is currently accepting any SAML authentication statement it
> gets, regardless of what is the subject name identifier. Is the SAML
> properties file only used for generating the saml tokens? How do I
> implement a receiver service which only accepts valid saml tokens and
> have my application respond based on these tokens?
>
>Rami Jaamour
>Software Engineer
>Web Services Solutions
>Parasoft Corporation
>
>"We Make Software Work"
>
>
>
> Dittmann Werner wrote:
>
>>Atul,
>>
>>also receiver side is implemented, however, on
>>the receiver side the WSDoAllReceiver has not
>>much to do with it. Pls have a look at the
>>WSSecurityEngine module. It deals to decode
>>the SAML part and perform the key/certificate
>>handling.
>>
>>Regards,
>>Werner
>>
>>
>>
>>>-----Ursprüngliche Nachricht-----
>>>Von: atul [mailto:techatool@yahoo.com]
>>>Gesendet: Mittwoch, 4. August 2004 09:22
>>>An: Dittmann Werner
>>>Cc: fx-dev@ws.apache.org
>>>Betreff: Re: AW: [WSS4J] SAML support
>>>
>>>
>>>Werner,
>>>Which parts specifically has been implemented or not
>>>implemented?
>>>It looks like it has saml assertion generation (the
>>>sender side WSDoAllSender) implemented but not the
>>>receiver side (WSDoAllReceiver). Any specific reasons
>>>for holding it off (like specs not ready or resources)
>>>or is it in the works?
>>>Any detailed info on it is greatly appreciated.
>>>
>>>thanks
>>>atul.
>>>
>>>
>>>--- Dittmann Werner <we...@siemens.com>
>>>wrote:
>>>
>>>
>>>
>>>>There is only a basic SAML support built in, no
>>>>interop
>>>>tests so far.
>>>>
>>>>Pls have a look at the SAML interop tests, no other
>>>>docs yet (because its not fully supported).
>>>>
>>>>Regards,
>>>>Werner
>>>>
>>>>
>>>>
>>>>>-----Ursprüngliche Nachricht-----
>>>>>Von: atul [mailto:techatool@yahoo.com]
>>>>>Gesendet: Dienstag, 3. August 2004 18:56
>>>>>An: fx-dev@ws.apache.org
>>>>>Betreff: [WSS4J] SAML support
>>>>>
>>>>>
>>>>>Does the latest wss4j build fully support the SAML
>>>>>profile of WSS spec? Do we have any document
>>>>>explaining it?
>>>>>
>>>>>thx
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>__________________________________
>>>>>Do you Yahoo!?
>>>>>New and Improved Yahoo! Mail - 100MB free storage!
>>>>>http://promotions.yahoo.com/new_mail
>>>>>
>>>>>
>>>>>
>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>Yahoo! Mail is new and improved - Check it out!
>>>http://promotions.yahoo.com/new_mail
>>>
>>>
>>>
>>
>>
>>