ws-rampart-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thilina Mahesh Buddhika <thilin...@gmail.com>
Subject Re: Validating SAML2 Assertion signature
Date Thu, 22 Oct 2009 07:16:50 GMT
Still SAML2TokenProcessor patch is not applied. So let's hold-on until it
gets applied.

Any better solutions?

thanks.
/thilina

E-Mail         : thilinamb@gmail.com
I blog here : http://thilinamb.com


2009/10/22 Håkon Sagehaug <Hakon.Sagehaug@bccs.uib.no>

> Hi,
>
> No problem in submit a patch, I need some help in how to do that though,
> how
> to proceed mainly. Also looked in the svn for wss4j in the
> branches/1.5_x_fixes, but could not see the SAML2tokenProcessor, is this
> patch applied?
>
> cheers, Håkon
>
> 2009/10/21 Thilina Mahesh Buddhika <thilinamb@gmail.com>
>
> > Hi,
> >
> > I would be great, if you can submit this as a patch to the WSS4J. SAML
> > token
> > validation should be further improved from the WSS4J side.
> >
> > Thanks.
> > /thilina
> >
> >
> > E-Mail         : thilinamb@gmail.com
> > I blog here : http://thilinamb.com
> >
> >
> > 2009/10/21 Håkon Sagehaug <Hakon.Sagehaug@bccs.uib.no>
> >
> > > Hi again
> > >
> > > But I used the other way of building the dom element, using the byte
> > stream
> > > approach, and then the signature validation was successful, so thanks
> for
> > > the pointer to the patch.
> > >
> > > cheers, Håkon
> > >
> > > 2009/10/21 Håkon Sagehaug <Hakon.Sagehaug@bccs.uib.no>
> > >
> > > > Hi Nandana,
> > > >
> > > > As far as I see from the patch and also stated in the comment for the
> > > > SAML2TokenProcessor#buildAssertion
> > > >
> > > > "At the moment it only validates by building an assertion similar to
> > the
> > > > SAMLTokenProcessor"
> > > >
> > > > Not validating the actual signature for the assertion, so the bulding
> > > token
> > > > part is okay, but not validating the signature. But maybe this issue
> is
> > > been
> > > > dealt with? And also using the SAML 1 I had to validate the signature
> > in
> > > my
> > > > application, beacuse the wss4j SAMLProcessor for SAML1 only build it,
> > and
> > > > made it avaiable through WSSecurityEngineResult object.
> > > >
> > > > cheers, Håkon
> > > >
> > > >
> > > > 2009/10/21 Nandana Mihindukulasooriya <nandana.cse@gmail.com>
> > > >
> > > > Hi Håkon,
> > > >>        Did you take a look at the patch [1]. It is not yet applied
> to
> > > >> WSS4J
> > > >> trunk but I think it will be useful for you.
> > > >>
> > > >> regards,
> > > >> Nandana
> > > >>
> > > >> [1] - https://issues.apache.org/jira/browse/WSS-204
> > > >>
> > > >> 2009/10/21 Håkon Sagehaug <Hakon.Sagehaug@bccs.uib.no>
> > > >>
> > > >> > Hi all,
> > > >> >
> > > >> > I've tried using the rampart 1.5, and made a sts service that
> issues
> > a
> > > >> > SAML2
> > > >> > assertion, so now I want to try to validate the signature. But
> > facing
> > > >> > problems doing that. My sts services is that same as the one
> > provided
> > > by
> > > >> > the
> > > >> > distribution. Ive looked at the openSAML list and documentation
> and
> > my
> > > >> > signature validation code looks like this
> > > >> >
> > > >> > KeyStore ks = KeyStore.getInstance("JKS");
> > > >> >        InputStream is = new
> FileInputStream("resource/service.jks");
> > > >> >        // char password [] = new char[]{""};
> > > >> >
> > > >> >        ks.load(is, "pass".toCharArray());
> > > >> >
> > > >> >        KeyStore.PrivateKeyEntry pkEntry =
> (KeyStore.PrivateKeyEntry)
> > > ks
> > > >> >            .getEntry("alias", new KeyStore.PasswordProtection(
> > > >> >                "pass".toCharArray()));
> > > >> >
> > > >> >        X509Certificate cert = (X509Certificate)
> > > >> pkEntry.getCertificate();
> > > >> >
> > > >> >        BasicX509Credential x509Credential = new
> > BasicX509Credential();
> > > >> >
> > > >> >        x509Credential.setEntityCertificate(cert);
> > > >> >        x509Credential.getEntityCertificateChain().add(cert);
> > > >> >
> > > >> >        SAMLSignatureProfileValidator signProfileValidator = new
> > > >> > SAMLSignatureProfileValidator();
> > > >> >        signProfileValidator.validate(ass.getSignature());
> > > >> >
> > > >> >        SignatureValidator signValidator = new SignatureValidator(
> > > >> >            x509Credential);
> > > >> >
> > > >> >        signValidator.validate(ass.getSignature());
> > > >> >
> > > >> > But I alwasy get
> > > >> >
> > > >> > org.opensaml.xml.validation.ValidationException: Signature did
not
> > > >> validate
> > > >> > against the credential's key
> > > >> >
> > > >> > I do the conversion from org.apache.rahas.Token to SAML Assertion
> > like
> > > >> this
> > > >> >
> > > >> >       OMSource source = new OMSource(responseToken.getToken());
> > > >> >        Element assercioSAMLDOM = null;
> > > >> >        Transformer transformer;
> > > >> >        TransformerFactory transFac =
> > TransformerFactory.newInstance();
> > > >> >
> > > >> >        try {
> > > >> >        transformer = transFac.newTransformer();
> > > >> >        DOMResult result = new DOMResult();
> > > >> >        transformer.transform(source, result);
> > > >> >
> > > >> >        assercioSAMLDOM = ((Document) result.getNode())
> > > >> >            .getDocumentElement();
> > > >> >
> > > >> >        } catch (TransformerConfigurationException e2) {
> > > >> >        e2.printStackTrace();
> > > >> >        } catch (TransformerException e) {
> > > >> >        e.printStackTrace();
> > > >> >        }
> > > >> >
> > > >> >        UnmarshallerFactory unmarshallerFactory = Configuration
> > > >> >            .getUnmarshallerFactory();
> > > >> >        Unmarshaller unmarshaller = unmarshallerFactory
> > > >> >            .getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME);
> > > >> >
> > > >> >        Assertion ass = (Assertion) unmarshaller
> > > >> >            .unmarshall(assercioSAMLDOM);
> > > >> >
> > > >> >
> > > >> > Seen on the SAML list that often these errors are due to
> conversion
> > > from
> > > >> > one
> > > >> > xml model to another(token to SAML Assertion).
> > > >> >
> > > >> > So my question is, I looked in the rampart svn for validation
code
> > for
> > > >> SAML
> > > >> > 2 tokens, but could not find anything, has anyone tried this?
Also
> > is
> > > >> the
> > > >> > conversion form the rahas token to dom element correct? I managed
> to
> > > >> > validate signatures when validating SAML 1 token issued, but
not
> > now.
> > > >> >
> > > >> >
> > > >> > cheers, Håkon
> > > >> >
> > > >> > --
> > > >> > Håkon Sagehaug, Scientific Programmer
> > > >> > Parallab, Bergen Center for Computational Science (BCCS)
> > > >> > UNIFOB AS (University of Bergen Research Company)
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Nandana Mihindukulasooriya
> > > >> WSO2 inc.
> > > >>
> > > >> http://nandana.org/
> > > >> http://www.wso2.org
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Håkon Sagehaug, Scientific Programmer
> > > > Parallab, Bergen Center for Computational Science (BCCS)
> > > > UNIFOB AS (University of Bergen Research Company)
> > > >
> > >
> > >
> > >
> > > --
> > > Håkon Sagehaug, Scientific Programmer
> > > Parallab, Bergen Center for Computational Science (BCCS)
> > > UNIFOB AS (University of Bergen Research Company)
> > >
> >
>
>
>
> --
> Håkon Sagehaug, Scientific Programmer
> Parallab, Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message