Hi, This is a bug that I've fixed in WSS4J: https://issues.apache.org/jira/browse/WSS-390
You could test with the latest trunk code on CXF, as this is currently picking up WSS4J 1.6.6-SNAPSHOT. Colm. On Wed, May 16, 2012 at 3:25 PM, Sunil Bapat <[email protected]> wrote: > Thanks for the help. > In the SAMLCallbackHandler, I am calling setAssertionElement as you mentioned: > > DOMParser parser = new DOMParser(); > parser.parse(new InputSource(new StringReader(samlAssertionString))); > callback.setAssertionElement(parser.getDocument().getDocumentElement()); > > In the STS client, I am setting the following properties: > Map<String, Object> properties = new HashMap<String, Object>(); > properties.put(WSHandlerConstants.ACTION, > WSHandlerConstants.SAML_TOKEN_SIGNED); > properties.put("ws-security.saml-callback-handler", new > SAMLCallbackHandler(assertionString)); > client.setProperties(properties); > > After doing this, I am getting the exception below. OpenSAMLUtil.toDom > is trying to sign the assertion. The assertion is already signed by > the STS which issued it. I don't have the private key to configure. It > looks like the SAML assertion is deconstructed and reconstructed. Is > the above code correct? Am I missing some other configuration? > > Exception: > > org.apache.cxf.interceptor.Fault > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:151) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:158) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:673) > ..... > ..... > > Caused by: java.lang.NullPointerException > at > org.apache.xml.security.algorithms.implementations.SignatureDSA.engineInitSign(Unknown > Source) > at > org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(Unknown > Source) > at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source) > at org.opensaml.xml.signature.Signer.signObject(Signer.java:76) > at > org.apache.ws.security.saml.ext.OpenSAMLUtil.toDom(OpenSAMLUtil.java:132) > at > org.apache.ws.security.saml.ext.AssertionWrapper.toDOM(AssertionWrapper.java:287) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.addSignedSupportingTokens(TransportBindingHandler.java:106) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleNonEndorsingSupportingTokens(TransportBindingHandler.java:166) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:144) > > Thanks > Sunil. > > > On Wed, May 16, 2012 at 4:39 AM, Colm O hEigeartaigh > <[email protected]> wrote: >> Are you using WS-SecurityPolicy? The only way I can think of to do >> this is if the STS is secured with a WS-SecurityPolicy expression that >> requires a SAML Token as a SupportingToken, see here for some >> examples: >> >> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/DoubleItSaml.wsdl?view=markup >> >> In this case, you'll need to configure the client with a special >> callback handler to retrieve the SAML Assertion, for example: >> >> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/client/client.xml?view=markup >> >> The following example referenced above generates a new SAML Assertion: >> >> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlCallbackHandler.java?view=markup >> >> However if you have access to the DOM Element you can just set this >> instead on the SAMLCallback object. >> >> Colm. >> >> On Tue, May 15, 2012 at 9:03 PM, Urmila & Sunil Bapat <[email protected]> >> wrote: >>> How do I configure the STSClient to pass in a existing SAML assertion? >>> The scenario is that the STS is secured by a SAML assertion. Therefore >>> to call the STS, we need to pass this SAML assertion. What properties >>> and callbacks can I configure on the STSClient to send this SAML >>> assertion in the header of the RequestSecurityToken call to the STS? >>> >>> Thanks >>> Sunil. >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
