axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hasini Gunasinghe <hasi7...@gmail.com>
Subject Re: How to validate SAML2.0 assertion with axis2
Date Thu, 10 Nov 2011 08:26:40 GMT
Hi,

There is an implementation supporting the validation binding of WS-Trust in
Rampart-Trust module.
AFAIU, it supports the version SAMLV1.1. Please refer to SAMLTokenValidator
at [1] and module.xml of rahas module at [2].
But with TokenValidator interface [3], an extension point is provided to
plug-in any other token validation implementations as well.

[1]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenValidator.java
[2]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust-mar/module.xml
[3]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/main/java/org/apache/rahas/TokenValidator.java

HTH.
Thanks,
Hasini.

On Wed, Nov 9, 2011 at 3:46 PM, Pierre-yves motreff <pymotreff@gmail.com>wrote:

> Hi,
>
> I have developed the server side of a WebService with Axis2. Now I have to
> securise this side with SAML 2.0.
> The client side is developed by an other company, and contains already the
> signed saml assertion (x509 certificate), see an example :
>
> <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
> http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
> "
> ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0"
> IssueInstant="2007-09-03T19:09:56Z">
>   <saml:Issuer>issuer</saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>       <CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#" />
>       <SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>       <Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
>         <Transforms>
>           <Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>           <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> />
>         </Transforms>
>         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
> />
>         <DigestValue>59QJ/N...zTtwPZIw0=</DigestValue>
>       </Reference>
>     </SignedInfo>
>     <SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue>
>     <KeyInfo>
>       <X509Data>
>         <X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate>
>         <X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate>
>         <X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate>
>       </X509Data>
>     </KeyInfo>
>   </Signature>
>   <saml:Subject>
>     <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID>
>     <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">
>       <saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z"
> Recipient="recip_id" />
>     </saml:SubjectConfirmation>
>   </saml:Subject>
>   <saml:Conditions NotBefore="2007-09-03T19:09:46Z"
> NotOnOrAfter="2007-09-03T20:10:06Z">
>     <saml:AudienceRestriction>
>       <saml:Audience>http://adresse</saml:Audience>
>     </saml:AudienceRestriction>
>   </saml:Conditions>
>   <saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z"
> SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
>     <saml:AuthnContext>
>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
>     </saml:AuthnContext>
>   </saml:AuthnStatement>
> ....
>
> I passed a long time on google to find examples of assertion validation,
> but i didn't find anything... I found some example of STS module, but if I
> understand this module delivers an assertion, but my client's request
> contains the assertion alredy ....
> So I have develop my own axis2 module to validate the assertion with
> opensaml library.
> But I want to know if it's possible to do the validation with rampart, for
> me it will be more secure to use a standart implementation than my own
> module.
>
> thanks in advance for your help.
>
> Regards
>

Mime
View raw message