Hi, No problem in submit a patch, I need some help in how to do that though, how to proceed mainly. Also looked in the svn for wss4j in the branches/1.5_x_fixes, but could not see the SAML2tokenProcessor, is this patch applied?
cheers, Håkon 2009/10/21 Thilina Mahesh Buddhika <[email protected]> > Hi, > > I would be great, if you can submit this as a patch to the WSS4J. SAML > token > validation should be further improved from the WSS4J side. > > Thanks. > /thilina > > > E-Mail : [email protected] > I blog here : http://thilinamb.com > > > 2009/10/21 Håkon Sagehaug <[email protected]> > > > Hi again > > > > But I used the other way of building the dom element, using the byte > stream > > approach, and then the signature validation was successful, so thanks for > > the pointer to the patch. > > > > cheers, Håkon > > > > 2009/10/21 Håkon Sagehaug <[email protected]> > > > > > Hi Nandana, > > > > > > As far as I see from the patch and also stated in the comment for the > > > SAML2TokenProcessor#buildAssertion > > > > > > "At the moment it only validates by building an assertion similar to > the > > > SAMLTokenProcessor" > > > > > > Not validating the actual signature for the assertion, so the bulding > > token > > > part is okay, but not validating the signature. But maybe this issue is > > been > > > dealt with? And also using the SAML 1 I had to validate the signature > in > > my > > > application, beacuse the wss4j SAMLProcessor for SAML1 only build it, > and > > > made it avaiable through WSSecurityEngineResult object. > > > > > > cheers, Håkon > > > > > > > > > 2009/10/21 Nandana Mihindukulasooriya <[email protected]> > > > > > > Hi Håkon, > > >> Did you take a look at the patch [1]. It is not yet applied to > > >> WSS4J > > >> trunk but I think it will be useful for you. > > >> > > >> regards, > > >> Nandana > > >> > > >> [1] - https://issues.apache.org/jira/browse/WSS-204 > > >> > > >> 2009/10/21 Håkon Sagehaug <[email protected]> > > >> > > >> > Hi all, > > >> > > > >> > I've tried using the rampart 1.5, and made a sts service that issues > a > > >> > SAML2 > > >> > assertion, so now I want to try to validate the signature. But > facing > > >> > problems doing that. My sts services is that same as the one > provided > > by > > >> > the > > >> > distribution. Ive looked at the openSAML list and documentation and > my > > >> > signature validation code looks like this > > >> > > > >> > KeyStore ks = KeyStore.getInstance("JKS"); > > >> > InputStream is = new FileInputStream("resource/service.jks"); > > >> > // char password [] = new char[]{""}; > > >> > > > >> > ks.load(is, "pass".toCharArray()); > > >> > > > >> > KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) > > ks > > >> > .getEntry("alias", new KeyStore.PasswordProtection( > > >> > "pass".toCharArray())); > > >> > > > >> > X509Certificate cert = (X509Certificate) > > >> pkEntry.getCertificate(); > > >> > > > >> > BasicX509Credential x509Credential = new > BasicX509Credential(); > > >> > > > >> > x509Credential.setEntityCertificate(cert); > > >> > x509Credential.getEntityCertificateChain().add(cert); > > >> > > > >> > SAMLSignatureProfileValidator signProfileValidator = new > > >> > SAMLSignatureProfileValidator(); > > >> > signProfileValidator.validate(ass.getSignature()); > > >> > > > >> > SignatureValidator signValidator = new SignatureValidator( > > >> > x509Credential); > > >> > > > >> > signValidator.validate(ass.getSignature()); > > >> > > > >> > But I alwasy get > > >> > > > >> > org.opensaml.xml.validation.ValidationException: Signature did not > > >> validate > > >> > against the credential's key > > >> > > > >> > I do the conversion from org.apache.rahas.Token to SAML Assertion > like > > >> this > > >> > > > >> > OMSource source = new OMSource(responseToken.getToken()); > > >> > Element assercioSAMLDOM = null; > > >> > Transformer transformer; > > >> > TransformerFactory transFac = > TransformerFactory.newInstance(); > > >> > > > >> > try { > > >> > transformer = transFac.newTransformer(); > > >> > DOMResult result = new DOMResult(); > > >> > transformer.transform(source, result); > > >> > > > >> > assercioSAMLDOM = ((Document) result.getNode()) > > >> > .getDocumentElement(); > > >> > > > >> > } catch (TransformerConfigurationException e2) { > > >> > e2.printStackTrace(); > > >> > } catch (TransformerException e) { > > >> > e.printStackTrace(); > > >> > } > > >> > > > >> > UnmarshallerFactory unmarshallerFactory = Configuration > > >> > .getUnmarshallerFactory(); > > >> > Unmarshaller unmarshaller = unmarshallerFactory > > >> > .getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME); > > >> > > > >> > Assertion ass = (Assertion) unmarshaller > > >> > .unmarshall(assercioSAMLDOM); > > >> > > > >> > > > >> > Seen on the SAML list that often these errors are due to conversion > > from > > >> > one > > >> > xml model to another(token to SAML Assertion). > > >> > > > >> > So my question is, I looked in the rampart svn for validation code > for > > >> SAML > > >> > 2 tokens, but could not find anything, has anyone tried this? Also > is > > >> the > > >> > conversion form the rahas token to dom element correct? I managed to > > >> > validate signatures when validating SAML 1 token issued, but not > now. > > >> > > > >> > > > >> > cheers, Håkon > > >> > > > >> > -- > > >> > Håkon Sagehaug, Scientific Programmer > > >> > Parallab, Bergen Center for Computational Science (BCCS) > > >> > UNIFOB AS (University of Bergen Research Company) > > >> > > > >> > > >> > > >> > > >> -- > > >> Nandana Mihindukulasooriya > > >> WSO2 inc. > > >> > > >> http://nandana.org/ > > >> http://www.wso2.org > > >> > > > > > > > > > > > > -- > > > Håkon Sagehaug, Scientific Programmer > > > Parallab, Bergen Center for Computational Science (BCCS) > > > UNIFOB AS (University of Bergen Research Company) > > > > > > > > > > > -- > > Håkon Sagehaug, Scientific Programmer > > Parallab, Bergen Center for Computational Science (BCCS) > > UNIFOB AS (University of Bergen Research Company) > > > -- Håkon Sagehaug, Scientific Programmer Parallab, Bergen Center for Computational Science (BCCS) UNIFOB AS (University of Bergen Research Company)
