Versions: - CXF 3.1.8 - Karaf 4.0.9 - JDK 1.8.x I'm following the example on http://cxf.apache.org/docs/saml-web-sso.html and everything's working fine up to the point where I need to validate the SAML response I get back from the IdP. The problem seems to lie to the fact that RequestAssertionConsumerService ends up using a SignatureValidator (provided by org.opensaml.xmlsec.signature.support) which in turn tries to find a signature validation provider using ServiceLoader.load(SignatureValidationProvider.class) - which AFAIK will never work in OSGi with no additional 'tricks'.
Here's the calling sequence: And here's the problematic code (last call above): Now, I'm pretty much aware of the problems of SPI + OSGi as well as possible remedies using something like Aries SPI Fly *on your own code*. However, since I - obviously - don't control the above code, trying to "SPIfy" it myself means I end up with custom JARs, custom Karaf features to include those JARs, etc. - not a nice place to be :) So, I'm wondering whether I'm missing some obvious thing/workaround here... Any ideas welcome :) Thanks -- View this message in context: http://cxf.547215.n5.nabble.com/JAX-RS-SAML-Web-SSO-Validating-SAML-Response-in-OSGi-tp5781687.html Sent from the cxf-user mailing list archive at Nabble.com.
