ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edson Camargo <cama...@das.ufsc.br>
Subject What the solution about last email: "using signed SAML tokens from a third party" ?
Date Wed, 09 Nov 2005 00:23:08 GMT
Hi All,

I would know if was found a solution for this email, sent by David 
Keppler, in 16 Aug 2004:
---------------------------------------------------------------------------------------------------------------
"Hi all,

I'm having a problem using the SAML token functionality of wss4j. My 
overall application requires the web service to consume a SAML token 
originating from and signed by a third-party authorization server.

I've written a custom extension of the SAMLIssuerImpl class that obtains 
a signed SAML token from that out-of-band server and tries to send it 
along as a security token in a WSS header to the end-point service. I'm 
using the SAMLTokenUnsigned action to send the token as having the 
client of the service sign the token is meaningless in my security model.

When my service client goes through it's invoke() everything works fine 
up until the point at the end of WSDoAllSender.invoke() where 
XMLUtils.outputDOM() is called. At this point I get a null pointer 
exception from somewhere very deep in xmlsec's canonicalization routine.

This happens only when I try to send a SAML token that already has an 
xmlsec signature attached to it from the auth server. If I strip this 
signature out before sending the request, everything works fine.

Unfortunately, stripping the signature out pretty much defeats the 
purpose of using the token as a security measure in the first place. I 
understand the SAML support in wss4j so far is very preliminary, but 
does anyone have a suggested work-around?"
-----------------------------------------------------------------------------------------------

The difference is that I receive a SAMLToken issued by a STS, but I 
found the same problem when use the

WSSAddSAMLToken builder = new WSSAddSAMLToken();
Document tokendoc = builder.build(doc,samlToken);  // *samltoken *is 
signed by a third party

I am using  the xmlsec-1.2.96-dev.jar.

Please, someone could help me?

Thanks in advance,

Edson
Master Degree Student
LCMI / DAS / UFSC
88.040-900 - Brazil - Florianópolis - SC
http://www.das.ufsc.br



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message