It turns out that I haven't completely resolved my issues from earlier, but I think I'm in the home stretch (hopefully). In the code I'm migrating (from CXF 2.3 to CXF 2.7), the original authors created a WSSecSignature descendant that does some security header customization, including inserting a Security Token Reference and inserting a SAML Assertion. This part seems to work fine, until I try to sign the assertion. Then I get this:
Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: at gov.faa.swim.ssri.wss.wss4j.saml.SupportingSamlTokenSignedAction.execute(SupportingSamlTokenSignedAction.java:126) at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265) ... 44 more Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:561) at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:481) at gov.faa.swim.ssri.wss.wss4j.saml.SupportingSamlTokenSignedAction$WSSecSamlSupportingTokenSignature.build(SupportingSamlTokenSignedAction.java:250) at gov.faa.swim.ssri.wss.wss4j.saml.SupportingSamlTokenSignedAction.execute(SupportingSamlTokenSignedAction.java:122) ... 47 more Caused by: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID STRId-5676DF1E739178AEC41416571963291192 at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:436) at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:364) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:495) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:378) at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:556) ... 50 more Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID STRId-5676DF1E739178AEC41416571963291192 at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:118) at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:430) ... 54 more Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID STRId-5676DF1E739178AEC41416571963291192 at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolveURI(ResolverFragment.java:85) at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:298) at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:111) The security header has the element with the specified ID, <wsse:SecurityTokenReference wsu:Id="STRId-5676DF1E739178AEC41416571963291192"> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_5676DF1E739178AEC41416571963191191</wsse:KeyIdentifier> </wsse:SecurityTokenReference> So I'm not sure what the issue is. I've come across some references to using IdResolver, but that didn't seem to help, and is supposed to be deprecated besides. Does anyone have any suggestions for resolving this issue? Thanx, Stephen W. Chappell