Re: STSClient configuration

Wed, 16 May 2012 07:26:16 -0700 

Thanks for the help.
In the SAMLCallbackHandler, I am calling setAssertionElement as you mentioned:

DOMParser parser = new DOMParser();
parser.parse(new InputSource(new StringReader(samlAssertionString)));
callback.setAssertionElement(parser.getDocument().getDocumentElement());

In the STS client, I am setting the following properties:
Map<String, Object> properties = new HashMap<String, Object>();
properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
properties.put("ws-security.saml-callback-handler", new
SAMLCallbackHandler(assertionString));
client.setProperties(properties);

After doing this, I am getting the exception below. OpenSAMLUtil.toDom
is trying to sign the assertion. The assertion is already signed by
the STS which issued it. I don't have the private key to configure. It
looks like the SAML assertion is deconstructed and reconstructed. Is
the above code correct? Am I missing some other configuration?

Exception:

org.apache.cxf.interceptor.Fault
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:151)
        at 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:158)
        at 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
        at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
        at 
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:673)
.....
.....

Caused by: java.lang.NullPointerException
        at 
org.apache.xml.security.algorithms.implementations.SignatureDSA.engineInitSign(Unknown
Source)
        at 
org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(Unknown
Source)
        at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
        at org.opensaml.xml.signature.Signer.signObject(Signer.java:76)
        at 
org.apache.ws.security.saml.ext.OpenSAMLUtil.toDom(OpenSAMLUtil.java:132)
        at 
org.apache.ws.security.saml.ext.AssertionWrapper.toDOM(AssertionWrapper.java:287)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.addSignedSupportingTokens(TransportBindingHandler.java:106)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleNonEndorsingSupportingTokens(TransportBindingHandler.java:166)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:144)

Thanks
Sunil.


On Wed, May 16, 2012 at 4:39 AM, Colm O hEigeartaigh
<[email protected]> wrote:
> Are you using WS-SecurityPolicy? The only way I can think of to do
> this is if the STS is secured with a WS-SecurityPolicy expression that
> requires a SAML Token as a SupportingToken, see here for some
> examples:
>
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl?view=markup
>
>  In this case, you'll need to configure the client with a special
> callback handler to retrieve the SAML Assertion, for example:
>
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/client/client.xml?view=markup
>
> The following example referenced above generates a new SAML Assertion:
>
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java?view=markup
>
> However if you have access to the DOM Element you can just set this
> instead on the SAMLCallback object.
>
> Colm.
>
> On Tue, May 15, 2012 at 9:03 PM, Urmila & Sunil Bapat <[email protected]> 
> wrote:
>> How do I configure the STSClient to pass in a existing SAML assertion?
>> The scenario is that the STS is secured by a SAML assertion. Therefore
>> to call the STS, we need to pass this SAML assertion. What properties
>> and callbacks can I configure on the STSClient to send this SAML
>> assertion in the header of the RequestSecurityToken call to the STS?
>>
>> Thanks
>> Sunil.
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com

Reply via email to