Hi all, i first encountered the XML signature verification problem generated by the serialization mechanism of Axis 1.x when starting to use wss4j SAML support based on OpenSAML 1.0.1. To create an SAML assertion uses org.opensaml.SAMLAssertion that creates assertions this way:
<Assertion AssertionID="_c7ecbec589fb83a6aff2176535125169" IssueInstant="2006-07-24T16:26:22.000Z" Issuer="myissuer" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> .... </Assertion> When this assertion is signed it shouldn't be modified before sign verification, but this not the way Axis serialization works when you set the "enableNamespacePrefixOptimization" parameter to "false". In such a case, regardless of the format of the SOAP message received on the net (with or withoute the prefix) the assertion will be modified in: <saml:Assertion AssertionID="_c7ecbec589fb83a6aff2176535125169" IssueInstant="2006-07-24T16:26:22.000Z" Issuer="myissuer" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> .... </Assertion> breaking signature verification. Naturally setting the "enableNamespacePrefixOptimization" parameter to true solves this problem, but then this workaround can create a situation that seems an unsolvable problem to me. As you know the "enableNamespacePrefixOptimization" parameter was introduced to solve a specular problem to that of my SAML assertion, when we have a SOAP body like this: <soapenv:Body wsu:id="id-23412344" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004"> <somepfx:SomeTag id="e0sdoaeckrpd" xmlns="ns:uri:one" xmlns:somepfx="ns:uri:one">hello</somepfx:SomeTag> </soapenv:Body> this can work when received in Axis only if you set "enableNamespacePrefixOptimization" parameter to "false" otherwise the signature validation will fail as the message would be changed in: <soapenv:Body wsu:id="id-23412344" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004"> <SomeTag id="e0sdoaeckrpd" xmlns="ns:uri:one" xmlns:somepfx="ns:uri:one">hello</SomeTag> </soapenv:Body> see: https://issues.apache.org/jira/browse/AXIS-1624 for a discussion of the problem an the solution proposed. And now the unsolvable problem: if i have a SOAP message with a SAML assertion and a SOAP body like in my example and i sign both, a receiving Axis service will not be able to validate both signatures: -if i set "enableNamespacePrefixOptimization" parameter to "false" the SAML assertion signature validation will fail -if i set "enableNamespacePrefixOptimization" parameter to "true" the SOAP body signature validation will fail. Changing the SOAP clients can't be a solution, as they are not always under our control :) Any idea on how to deal with this "deadlock"? I tested only Axis 1.3 and 1.4. is there anyone using Axis2/Axiom that can report if the same problem still exist in this release? Regards, Luciano --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]