Hello Masi, Thank you for the pointer. As the setText() method is encoding the "<" and ">" chars in the SOAP header, I have used the following code to get it working. Also, as my SAML assertion is being passed as a String, I have to use the org.apache.axiom.om.impl.llom.util.AXIOMUtil.stringToOM() method to create the OMElement.
private OMElement createSecurityHeader( String securityAssertion ) throws Exception { OMFactory omFactory = OMAbstractFactory.getOMFactory(); OMNamespace wsseNs = fac.createOMNamespace( NameSpaceUtils.WSSE_SECURITY_NS, "wsse" ); OMElement wsseSecurityHeaderOM = fac.createOMElement( "Security", wsseNs ); OMElement omAssertionElement = AXIOMUtil.stringToOM(securityAssertion); wsseSecurityHeaderOM.addChild( omAssertionElement ); return wsseSecurityHeaderOM; } In the toEnvelope() method of the stub class: String assertion = getAssertion(); OMElement securityHeaderElement = createSecurityHeader(assertion); emptyEnvelope.getHeader().addChild(securityHeaderElement); .... Now I do not see the "<" and ">" chars being encoded in the Security header block. So far so good. Thanks, Seshi Patibanda On Thu, Jan 29, 2009 at 4:51 PM, Massimiliano Masi <m...@math.unifi.it>wrote: > Seshi, > > I think you don't have to use the setText. > > I was using something like: > > /** > * Create a new fresh security header with WSSE 1.1 and Security as > localName > * @param securityAssertion > * @return > * @throws Exception > */ > private Element createSecurityHeader( Element securityAssertion ) throws > Exception > { > OMFactory fac = OMAbstractFactory.getOMFactory(); > OMNamespace wsseNs = fac.createOMNamespace( > NameSpaceUtils.WSSE_SECURITY_NS, "wsse" ); > OMElement wsseSecurityHeaderOM = fac.createOMElement( "Security", > wsseNs ); > OMElement securityAssertionOM = XMLUtils.toOM( securityAssertion ); > wsseSecurityHeaderOM.addChild( securityAssertionOM ); > return XMLUtils.toDOM( wsseSecurityHeaderOM ); > } > > > But it's not clean and correct. Simply use the addChild method. > > I'm searching on how to produce a SecurityPolicy for including it. > > > Quoting Seshi Patibanda <seshi...@gmail.com>: > > All, >> >> For those who are interested, I have found a way to include the "obtained" >> SAML token in the created Security header (<wsse:Security>) of the SOAP >> message. >> >> Used Axis2 AXIOM API methods to insert the Security header with the >> correct >> namespace. Upon creating the security header , we just need to add the >> obtained SAML token. >> >> Importantly, this approach will completely BYPASS Rampart module >> engagement >> with Axis2 client. >> >> Attached is the code snippet that goes in to the WSDL2Java generated stub >> class method toEnvelope(org.apache.axiom.soap.SOAPFactory factory, .. , >> ...). >> ======================================================= >> try { >> >> //get SAML assertion token >> String assertion = getAssertion(); >> >> org.apache.axiom.soap.SOAPEnvelope emptyEnvelope = >> factory.getDefaultEnvelope(); >> >> OMNamespace ns = factory.createOMNamespace( >> >> http://docs.oasis-open.org/wss/2004/01/oasis-2000401-wss-wssecurity-secext-1.0.xsd >> , >> "wsse"); >> >> org.apache.axiom.soap.SOAPHeaderBlock soapHeaderBlock = >> factory.createSOAPHeaderBlock("Security", ns); >> >> //set the SAML assertion token in the SOAP Header block >> soapHeaderBlock.setText(assertion); >> >> //add the Header block to the header >> emptyEnvelope.getHeader().addChild(soapHeaderBlock); >> >> //add the relevant body to the envelope >> emptyEnvelope.getBody().addChild(...); >> >> return emptyEnvelope; >> >> } catch (org.apache.axis2.databinding.ADBException e) { >> throw org.apache.axis2.AxisFault.makeFault(e); >> } >> >> >> As a result, we will get the following SOAP header message: >> >> <soapenv:Header> >> <wsse:Security xmlns:wsse=" >> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> "> >> <Assertion ...>....</Assertion> >> </wsse:Security> >> </soapenv:Header> >> >> ============================================================ >> >> DISCLAIMER: When the SOAP message was intercepted (by setting >> log4j.logger.httpclient.wire.header = DEBUG in the log4j.properties file), >> found out that the "<" and ">" chars of the Assertion string was being >> encoded to the corresponding "<" and ">". >> >> If anyone has suggestions to pass the Assertion string correctly (without >> encoding), please share your thoughts... >> >> Thanks, >> >> Seshi Patibanda >> >> >> >> >> >> >> >> On Tue, Jan 27, 2009 at 12:21 PM, Seshi Patibanda <seshi...@gmail.com >> >wrote: >> >> Hello all, >>> >>> As per the thread seen on markmail.org ( >>> http://markmail.org/thread/iq4j6x7g247wi75x), there was an update from >>> Ruchith Fernando dated Nov 4, 2007 about the ways to include the obtained >>> SAML token in the Security header. >>> >>> First option was given as: >>> >>> " By creating a wsse:Securityheader element and adding the token element >>> into the header. Rampart processing down the line will re-use this >>> header. " >>> >>> Could anyone please expand on how to implement this option using Apache >>> Rampart 1.4? >>> >>> At my end, I have problems inserting an obtained SAML token in the >>> Security >>> header of my SOAP request. I have sent an email to >>> axis-u...@ws.apache.orgmailing list requesting feedback but haven't >>> received any yet. All I need to >>> do is just pass the retrieved SAML token to the remote web service >>> (SSL-enabled) via SOAP header in the request. >>> >>> >>> My configuration: >>> Deployed Apache Rampart 1.4 module correctly as per the samples. Using >>> Axis2 1.4 client and stubs generated by WSDL2Java tool. Based on my >>> configuration, would policy based approach work? If so, does anyone have >>> any >>> sample Transport-level security policies to implement the SAML passing? >>> >>> Any feedback/suggestion is highly appreciated. >>> >>> Thanks, >>> >>> Seshi Patibanda >>> seshi...@gmail.com >>> >>> >>> >> > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > >