All, For those who are interested, I have found a way to include the "obtained" SAML token in the created Security header (<wsse:Security>) of the SOAP message.
Used Axis2 AXIOM API methods to insert the Security header with the correct namespace. Upon creating the security header , we just need to add the obtained SAML token. Importantly, this approach will completely BYPASS Rampart module engagement with Axis2 client. Attached is the code snippet that goes in to the WSDL2Java generated stub class method toEnvelope(org.apache.axiom.soap.SOAPFactory factory, .. , ...). ======================================================= try { //get SAML assertion token String assertion = getAssertion(); org.apache.axiom.soap.SOAPEnvelope emptyEnvelope = factory.getDefaultEnvelope(); OMNamespace ns = factory.createOMNamespace( http://docs.oasis-open.org/wss/2004/01/oasis-2000401-wss-wssecurity-secext-1.0.xsd, "wsse"); org.apache.axiom.soap.SOAPHeaderBlock soapHeaderBlock = factory.createSOAPHeaderBlock("Security", ns); //set the SAML assertion token in the SOAP Header block soapHeaderBlock.setText(assertion); //add the Header block to the header emptyEnvelope.getHeader().addChild(soapHeaderBlock); //add the relevant body to the envelope emptyEnvelope.getBody().addChild(...); return emptyEnvelope; } catch (org.apache.axis2.databinding.ADBException e) { throw org.apache.axis2.AxisFault.makeFault(e); } As a result, we will get the following SOAP header message: <soapenv:Header> <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "> <Assertion ...>....</Assertion> </wsse:Security> </soapenv:Header> ============================================================ DISCLAIMER: When the SOAP message was intercepted (by setting log4j.logger.httpclient.wire.header = DEBUG in the log4j.properties file), found out that the "<" and ">" chars of the Assertion string was being encoded to the corresponding "<" and ">". If anyone has suggestions to pass the Assertion string correctly (without encoding), please share your thoughts... Thanks, Seshi Patibanda On Tue, Jan 27, 2009 at 12:21 PM, Seshi Patibanda <seshi...@gmail.com>wrote: > Hello all, > > As per the thread seen on markmail.org ( > http://markmail.org/thread/iq4j6x7g247wi75x), there was an update from > Ruchith Fernando dated Nov 4, 2007 about the ways to include the obtained > SAML token in the Security header. > > First option was given as: > > " By creating a wsse:Securityheader element and adding the token element > into the header. Rampart processing down the line will re-use this header. " > > Could anyone please expand on how to implement this option using Apache > Rampart 1.4? > > At my end, I have problems inserting an obtained SAML token in the Security > header of my SOAP request. I have sent an email to > axis-u...@ws.apache.orgmailing list requesting feedback but haven't received > any yet. All I need to > do is just pass the retrieved SAML token to the remote web service > (SSL-enabled) via SOAP header in the request. > > > My configuration: > Deployed Apache Rampart 1.4 module correctly as per the samples. Using > Axis2 1.4 client and stubs generated by WSDL2Java tool. Based on my > configuration, would policy based approach work? If so, does anyone have any > sample Transport-level security policies to implement the SAML passing? > > Any feedback/suggestion is highly appreciated. > > Thanks, > > Seshi Patibanda > seshi...@gmail.com > >