You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-c-dev@ws.apache.org by Supun Kamburugamuva <su...@gmail.com> on 2008/01/03 17:54:42 UTC

Implementation of STR-Transform

Hi,

I'm trying to implement the STR transformation for Rampart. This
transformation is required to sign SAML tokens. I encountered few
problems with the current infrastructure provided by the
oxs_transform.h and oxs_transformation_factory.h while implementing
this.

In the STR transformation we give the SecurityTokeneReference node to
the transformation function as input. Inside of this function we need
to find the actual token referred by this SecurityTokenReference. We
need to access the Security header to find the actual token. But we
can pass only the SecurityTokenReference node to the transformation
function according to the current implementation. But we need to pass
the soap header node as well. So we need to pass two nodes as input.

Opposite of this problem can be seen in the enveloped XML signature
transformation. In the enveloped transformation the transformation
function should return Signature node and the node containing the
signature. So we need to return two nodes.

My suggested solution is to add another oxs_tr_dtype_t
OXS_TRANSFORM_TYPE_NODE_ARRAY_LIST.

Then if it is required to pass or return more than one node we can use
an array list containg the required nodes.  The values contained in
the array list will be different according to the transformation.

Regards,
Supun.

Re: Implementation of STR-Transform

Posted by Supun Kamburugamuva <su...@gmail.com>.

> I think this method is a bit of a problem in the STR-Transformation
> case. The STR-Transformation requires access to the whole security
> header for finding the actual token. But since only the transformation
> node (in this case SecurityTokenreference node) is passed to the
> method there is no way we can access the security header from this
> function.
>

I have found a solution to the STR-Transformation case. The solution
is to get the root node of the given node first and then use this root
node to search for the required SAML assertion.

I used the axiom_node_get_parent to find the root node of the node tree.

Regards,
Supun..

Re: Implementation of STR-Transform

Posted by Supun Kamburugamuva <su...@gmail.com>.

> Not a problem. That's why we implemented transformations in this way.
> But how would this effect to function oxs_xml_sig_transform_n_digest()
> when we return an array list ?

In the enveloped transformation we can safely use this method. We can
check the id of the transformation if the transformation out put type
is OXS_TRANSFORM_TYPE_NODE_ARRAY_LIST. By referencing the id of the
transformation we can determine the content of the returned array list
and act accordingly.

I think this method is a bit of a problem in the STR-Transformation
case. The STR-Transformation requires access to the whole security
header for finding the actual token. But since only the transformation
node (in this case SecurityTokenreference node) is passed to the
method there is no way we can access the security header from this
function.

Regards,
Supun.

Re: Implementation of STR-Transform

Posted by Kaushalye Kapuruge <ka...@wso2.com>.

Supun Kamburugamuva wrote:
> Hi,
>
> I'm trying to implement the STR transformation for Rampart. This
> transformation is required to sign SAML tokens. I encountered few
> problems with the current infrastructure provided by the
> oxs_transform.h and oxs_transformation_factory.h while implementing
> this.
>
> In the STR transformation we give the SecurityTokeneReference node to
> the transformation function as input. Inside of this function we need
> to find the actual token referred by this SecurityTokenReference. We
> need to access the Security header to find the actual token. But we
> can pass only the SecurityTokenReference node to the transformation
> function according to the current implementation. But we need to pass
> the soap header node as well. So we need to pass two nodes as input.
>
> Opposite of this problem can be seen in the enveloped XML signature
> transformation. In the enveloped transformation the transformation
> function should return Signature node and the node containing the
> signature. So we need to return two nodes.
>
> My suggested solution is to add another oxs_tr_dtype_t
> OXS_TRANSFORM_TYPE_NODE_ARRAY_LIST.
>
>   
Not a problem. That's why we implemented transformations in this way.
But how would this effect to function oxs_xml_sig_transform_n_digest() 
when we return an array list ?
-Kau
> Then if it is required to pass or return more than one node we can use
> an array list containg the required nodes.  The values contained in
> the array list will be different according to the transformation.
>
> Regards,
> Supun.
>
>   


-- 
http://blog.kaushalye.org/
http://wso2.org/