You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by PL...@ATP.dk on 2011/09/27 12:29:06 UTC
Possible problem with toDom-method in org.apache.ws.security.saml.ext.OpenSAMLUtil-class
Hello
I'm trying to append a SAML-assertion signed by an external STS to my
Security header.
But when I call the build-method in WSSecSignatureSAML I get an NPE.
The reason for this seem to be that wss4j in trying to sign the
SAML-assertion once more even if it alredy has been signed. It happens in
this toDOM()-method in the org.apache.ws.security.saml.ext.
OpenSAMLUtil-class (which is always called when calling the build-method
in WSSecSignatureSAML).
Here is the part in the toDOM()-method where the signing is done:
// Sign the assertion if the signature element is present.
if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
org.opensaml.saml2.core.Assertion saml2 =
(org.opensaml.saml2.core.Assertion) xmlObject;
// if there is a signature, but it hasn't already
been signed
if (saml2.getSignature() != null) {
if (log.isDebugEnabled()) {
log.debug("Signing SAML v2.0 assertion...");
}
try {
Signer.signObject(saml2.getSignature());
} catch (SignatureException ex) {
throw new WSSecurityException("Error signing a
SAML assertion", ex);
}
}
} else if (
But.., shouldn't there be a call to saml2..isSigned() to check that we are
not trying to sign an alredy signed assertion, i.e
it sholud look like this:
// if there is a signature, but it hasn't already been
signed
if (saml2.getSignature() != null && !saml2.isSigned()) {
if (log.isDebugEnabled()) {
log.debug("Signing SAML v2.0 assertion...");
}
try {
Signer.signObject(saml2.getSignature());
} catch (SignatureException ex) {
throw new WSSecurityException("Error signing a
SAML assertion", ex);
}
}
} else if (
The reason why I get the NPE is because it is not possible to call Signer.
signObject(saml2.getSignature()) above, without having a private key. It
is not possible because it is the STS's private key that should be used,
and I don't have that key. It shouldn't be neccessary either, because I
cannot see why the assertion should be signed once more if it already is
signed.
/Pär-Johan Lif
Re: Possible problem with toDom-method in org.apache.ws.security.saml.ext.OpenSAMLUtil-class
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
The WSSecSignatureSAML is used to sign a SAML Assertion. If you're
getting a signed SAML Assertion from an external STS then why not just
append it to the security header directly?
Colm.
On Tue, Sep 27, 2011 at 11:29 AM, <PL...@atp.dk> wrote:
> Hello
>
> I'm trying to append a SAML-assertion signed by an external STS to my
> Security header.
> But when I call the build-method in WSSecSignatureSAML I get an NPE.
> The reason for this seem to be that wss4j in trying to sign the
> SAML-assertion once more even if it alredy has been signed. It happens in
> this toDOM()-method in the
> org.apache.ws.security.saml.ext.OpenSAMLUtil-class (which is always called
> when calling the build-method in WSSecSignatureSAML).
> Here is the part in the toDOM()-method where the signing is done:
>
>
> // Sign the assertion if the signature element is present.
> if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
> org.opensaml.saml2.core.Assertion saml2 =
> (org.opensaml.saml2.core.Assertion) xmlObject;
> // if there is a signature, but it hasn't already
> been signed
> if (saml2.getSignature() != null) {
> if (log.isDebugEnabled()) {
> log.debug("Signing SAML v2.0 assertion...");
> }
> try {
> Signer.signObject(saml2.getSignature());
> } catch (SignatureException ex) {
> throw new WSSecurityException("Error signing a SAML
> assertion", ex);
> }
> }
> } else if (
>
> But.., shouldn't there be a call to saml2..isSigned() to check that we are
> not trying to sign an alredy signed assertion, i.e
> it sholud look like this:
>
> // if there is a signature, but it hasn't already been
> signed
> if (saml2.getSignature() != null && !saml2.isSigned()) {
> if (log.isDebugEnabled()) {
> log.debug("Signing SAML v2.0 assertion...");
> }
> try {
> Signer.signObject(saml2.getSignature());
> } catch (SignatureException ex) {
> throw new WSSecurityException("Error signing a SAML
> assertion", ex);
> }
> }
> } else if (
>
> The reason why I get the NPE is because it is not possible to call
> Signer.signObject(saml2.getSignature()) above, without having a private key.
> It is not possible because it is the STS's private key that should be used,
> and I don't have that key. It shouldn't be neccessary either, because I
> cannot see why the assertion should be signed once more if it already is
> signed.
>
>
> /Pär-Johan Lif
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com