Hi Nandana, As far as I see from the patch and also stated in the comment for the SAML2TokenProcessor#buildAssertion
"At the moment it only validates by building an assertion similar to the SAMLTokenProcessor" Not validating the actual signature for the assertion, so the bulding token part is okay, but not validating the signature. But maybe this issue is been dealt with? And also using the SAML 1 I had to validate the signature in my application, beacuse the wss4j SAMLProcessor for SAML1 only build it, and made it avaiable through WSSecurityEngineResult object. cheers, Håkon 2009/10/21 Nandana Mihindukulasooriya <[email protected]> > Hi Håkon, > Did you take a look at the patch [1]. It is not yet applied to WSS4J > trunk but I think it will be useful for you. > > regards, > Nandana > > [1] - https://issues.apache.org/jira/browse/WSS-204 > > 2009/10/21 Håkon Sagehaug <[email protected]> > > > Hi all, > > > > I've tried using the rampart 1.5, and made a sts service that issues a > > SAML2 > > assertion, so now I want to try to validate the signature. But facing > > problems doing that. My sts services is that same as the one provided by > > the > > distribution. Ive looked at the openSAML list and documentation and my > > signature validation code looks like this > > > > KeyStore ks = KeyStore.getInstance("JKS"); > > InputStream is = new FileInputStream("resource/service.jks"); > > // char password [] = new char[]{""}; > > > > ks.load(is, "pass".toCharArray()); > > > > KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) ks > > .getEntry("alias", new KeyStore.PasswordProtection( > > "pass".toCharArray())); > > > > X509Certificate cert = (X509Certificate) pkEntry.getCertificate(); > > > > BasicX509Credential x509Credential = new BasicX509Credential(); > > > > x509Credential.setEntityCertificate(cert); > > x509Credential.getEntityCertificateChain().add(cert); > > > > SAMLSignatureProfileValidator signProfileValidator = new > > SAMLSignatureProfileValidator(); > > signProfileValidator.validate(ass.getSignature()); > > > > SignatureValidator signValidator = new SignatureValidator( > > x509Credential); > > > > signValidator.validate(ass.getSignature()); > > > > But I alwasy get > > > > org.opensaml.xml.validation.ValidationException: Signature did not > validate > > against the credential's key > > > > I do the conversion from org.apache.rahas.Token to SAML Assertion like > this > > > > OMSource source = new OMSource(responseToken.getToken()); > > Element assercioSAMLDOM = null; > > Transformer transformer; > > TransformerFactory transFac = TransformerFactory.newInstance(); > > > > try { > > transformer = transFac.newTransformer(); > > DOMResult result = new DOMResult(); > > transformer.transform(source, result); > > > > assercioSAMLDOM = ((Document) result.getNode()) > > .getDocumentElement(); > > > > } catch (TransformerConfigurationException e2) { > > e2.printStackTrace(); > > } catch (TransformerException e) { > > e.printStackTrace(); > > } > > > > UnmarshallerFactory unmarshallerFactory = Configuration > > .getUnmarshallerFactory(); > > Unmarshaller unmarshaller = unmarshallerFactory > > .getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME); > > > > Assertion ass = (Assertion) unmarshaller > > .unmarshall(assercioSAMLDOM); > > > > > > Seen on the SAML list that often these errors are due to conversion from > > one > > xml model to another(token to SAML Assertion). > > > > So my question is, I looked in the rampart svn for validation code for > SAML > > 2 tokens, but could not find anything, has anyone tried this? Also is the > > conversion form the rahas token to dom element correct? I managed to > > validate signatures when validating SAML 1 token issued, but not now. > > > > > > cheers, Håkon > > > > -- > > Håkon Sagehaug, Scientific Programmer > > Parallab, Bergen Center for Computational Science (BCCS) > > UNIFOB AS (University of Bergen Research Company) > > > > > > -- > Nandana Mihindukulasooriya > WSO2 inc. > > http://nandana.org/ > http://www.wso2.org > -- Håkon Sagehaug, Scientific Programmer Parallab, Bergen Center for Computational Science (BCCS) UNIFOB AS (University of Bergen Research Company)
