Still SAML2TokenProcessor patch is not applied. So let's hold-on until it gets applied.
Any better solutions? thanks. /thilina E-Mail : [email protected] I blog here : http://thilinamb.com 2009/10/22 Håkon Sagehaug <[email protected]> > Hi, > > No problem in submit a patch, I need some help in how to do that though, > how > to proceed mainly. Also looked in the svn for wss4j in the > branches/1.5_x_fixes, but could not see the SAML2tokenProcessor, is this > patch applied? > > cheers, Håkon > > 2009/10/21 Thilina Mahesh Buddhika <[email protected]> > > > Hi, > > > > I would be great, if you can submit this as a patch to the WSS4J. SAML > > token > > validation should be further improved from the WSS4J side. > > > > Thanks. > > /thilina > > > > > > E-Mail : [email protected] > > I blog here : http://thilinamb.com > > > > > > 2009/10/21 Håkon Sagehaug <[email protected]> > > > > > Hi again > > > > > > But I used the other way of building the dom element, using the byte > > stream > > > approach, and then the signature validation was successful, so thanks > for > > > the pointer to the patch. > > > > > > cheers, Håkon > > > > > > 2009/10/21 Håkon Sagehaug <[email protected]> > > > > > > > Hi Nandana, > > > > > > > > As far as I see from the patch and also stated in the comment for the > > > > SAML2TokenProcessor#buildAssertion > > > > > > > > "At the moment it only validates by building an assertion similar to > > the > > > > SAMLTokenProcessor" > > > > > > > > Not validating the actual signature for the assertion, so the bulding > > > token > > > > part is okay, but not validating the signature. But maybe this issue > is > > > been > > > > dealt with? And also using the SAML 1 I had to validate the signature > > in > > > my > > > > application, beacuse the wss4j SAMLProcessor for SAML1 only build it, > > and > > > > made it avaiable through WSSecurityEngineResult object. > > > > > > > > cheers, Håkon > > > > > > > > > > > > 2009/10/21 Nandana Mihindukulasooriya <[email protected]> > > > > > > > > Hi Håkon, > > > >> Did you take a look at the patch [1]. It is not yet applied > to > > > >> WSS4J > > > >> trunk but I think it will be useful for you. > > > >> > > > >> regards, > > > >> Nandana > > > >> > > > >> [1] - https://issues.apache.org/jira/browse/WSS-204 > > > >> > > > >> 2009/10/21 Håkon Sagehaug <[email protected]> > > > >> > > > >> > Hi all, > > > >> > > > > >> > I've tried using the rampart 1.5, and made a sts service that > issues > > a > > > >> > SAML2 > > > >> > assertion, so now I want to try to validate the signature. But > > facing > > > >> > problems doing that. My sts services is that same as the one > > provided > > > by > > > >> > the > > > >> > distribution. Ive looked at the openSAML list and documentation > and > > my > > > >> > signature validation code looks like this > > > >> > > > > >> > KeyStore ks = KeyStore.getInstance("JKS"); > > > >> > InputStream is = new > FileInputStream("resource/service.jks"); > > > >> > // char password [] = new char[]{""}; > > > >> > > > > >> > ks.load(is, "pass".toCharArray()); > > > >> > > > > >> > KeyStore.PrivateKeyEntry pkEntry = > (KeyStore.PrivateKeyEntry) > > > ks > > > >> > .getEntry("alias", new KeyStore.PasswordProtection( > > > >> > "pass".toCharArray())); > > > >> > > > > >> > X509Certificate cert = (X509Certificate) > > > >> pkEntry.getCertificate(); > > > >> > > > > >> > BasicX509Credential x509Credential = new > > BasicX509Credential(); > > > >> > > > > >> > x509Credential.setEntityCertificate(cert); > > > >> > x509Credential.getEntityCertificateChain().add(cert); > > > >> > > > > >> > SAMLSignatureProfileValidator signProfileValidator = new > > > >> > SAMLSignatureProfileValidator(); > > > >> > signProfileValidator.validate(ass.getSignature()); > > > >> > > > > >> > SignatureValidator signValidator = new SignatureValidator( > > > >> > x509Credential); > > > >> > > > > >> > signValidator.validate(ass.getSignature()); > > > >> > > > > >> > But I alwasy get > > > >> > > > > >> > org.opensaml.xml.validation.ValidationException: Signature did not > > > >> validate > > > >> > against the credential's key > > > >> > > > > >> > I do the conversion from org.apache.rahas.Token to SAML Assertion > > like > > > >> this > > > >> > > > > >> > OMSource source = new OMSource(responseToken.getToken()); > > > >> > Element assercioSAMLDOM = null; > > > >> > Transformer transformer; > > > >> > TransformerFactory transFac = > > TransformerFactory.newInstance(); > > > >> > > > > >> > try { > > > >> > transformer = transFac.newTransformer(); > > > >> > DOMResult result = new DOMResult(); > > > >> > transformer.transform(source, result); > > > >> > > > > >> > assercioSAMLDOM = ((Document) result.getNode()) > > > >> > .getDocumentElement(); > > > >> > > > > >> > } catch (TransformerConfigurationException e2) { > > > >> > e2.printStackTrace(); > > > >> > } catch (TransformerException e) { > > > >> > e.printStackTrace(); > > > >> > } > > > >> > > > > >> > UnmarshallerFactory unmarshallerFactory = Configuration > > > >> > .getUnmarshallerFactory(); > > > >> > Unmarshaller unmarshaller = unmarshallerFactory > > > >> > .getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME); > > > >> > > > > >> > Assertion ass = (Assertion) unmarshaller > > > >> > .unmarshall(assercioSAMLDOM); > > > >> > > > > >> > > > > >> > Seen on the SAML list that often these errors are due to > conversion > > > from > > > >> > one > > > >> > xml model to another(token to SAML Assertion). > > > >> > > > > >> > So my question is, I looked in the rampart svn for validation code > > for > > > >> SAML > > > >> > 2 tokens, but could not find anything, has anyone tried this? Also > > is > > > >> the > > > >> > conversion form the rahas token to dom element correct? I managed > to > > > >> > validate signatures when validating SAML 1 token issued, but not > > now. > > > >> > > > > >> > > > > >> > cheers, Håkon > > > >> > > > > >> > -- > > > >> > Håkon Sagehaug, Scientific Programmer > > > >> > Parallab, Bergen Center for Computational Science (BCCS) > > > >> > UNIFOB AS (University of Bergen Research Company) > > > >> > > > > >> > > > >> > > > >> > > > >> -- > > > >> Nandana Mihindukulasooriya > > > >> WSO2 inc. > > > >> > > > >> http://nandana.org/ > > > >> http://www.wso2.org > > > >> > > > > > > > > > > > > > > > > -- > > > > Håkon Sagehaug, Scientific Programmer > > > > Parallab, Bergen Center for Computational Science (BCCS) > > > > UNIFOB AS (University of Bergen Research Company) > > > > > > > > > > > > > > > > -- > > > Håkon Sagehaug, Scientific Programmer > > > Parallab, Bergen Center for Computational Science (BCCS) > > > UNIFOB AS (University of Bergen Research Company) > > > > > > > > > -- > Håkon Sagehaug, Scientific Programmer > Parallab, Bergen Center for Computational Science (BCCS) > UNIFOB AS (University of Bergen Research Company) >
