What are the weird errors you were getting with the WSS4J xmlsec.jar? I tried both v1.1 and v1.2 of xmlsec.jar (in both OpenSAML and WSS4J) but I keep getting
org.opensaml.InvalidCryptoException: SAMLSignedObject.verify() failed to validate signature value
on Z when I would expect the signature verification to succeed. Could there be a reason for this other than the client (A or B) corrupting the integrity of the signature?
Thanks,
Rami Jaamour Software Engineer Web Services Solutions Parasoft Corporation
"We Make Software Work"
David Keppler wrote:
I did about this same thing a few weeks back. From my experience with it, it sounds like you'd want to use SAMLTokenUnsigned action directive for wss4j on both the client and server. Then create instantiations of the org.apache.ws.security.saml.SAMLIssuer class that do the communications with the B and Z servers. Set the org.apache.ws.security.saml.issuerClass properties in the saml.properties files on the client and service to use those two SAMLIssuer derived classes.
Another caveat, if you get weird errors when sending assertions that are signed by B and Z, try using the v1.1 release version of the xmlsec.jar. The one in the wss4j cvs lib directory wouldn't work for me.
-Dave
Ashok Shah wrote:
Hello Everybody,
I am trying to use WSS4J to support multiple security mechanisms in our SOAP based protocol. I have tried using SAML profile in WSS4J but am confused in which profile to use. Here are my requirements : I have a client called "A", client has a Local Attribute Authority called "B", a server called "S" and server's Local Attribute Authority "Z". "A" wants to send a request to "S", but has to go to "B" to get its Attributes, as SAMLAssertion, which would be signed by "B". "A" gets those signed attributes from "B" and attaches them into SOAP security header. "S" gets the request, and has to send the attributes in the SOAP request header to "Z" to verify the signature as well as the attributes.
I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
confused in which one to use as i dont know which profile would support
my requirements. If I use SAMLSigned, I need to specify the signature
authorities details in property file which I wont have. Also, it
attaches the signature differently than SignedAttributes. Appreciate any help.
Thanks,
Ashok.
