I have tested this feature in a demo awhile back,
but I see now it was never tried on OSGI,
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2/sso-saml
only the simpler version of the demo was:
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2/war-bundle
Well, this RP code has been stressed by the users AFAIK but looks like
it was never tried in OSGI, unless I'm missing something, Colm, can that
validator provider optionally injected and if it is then the call to the
static function be skipped ?
Sergey
On 04/07/17 15:41, DrBrain wrote:
Versions:
- CXF 3.1.8
- Karaf 4.0.9
- JDK 1.8.x
I'm following the example on http://cxf.apache.org/docs/saml-web-sso.html
and everything's working fine up to the point where I need to validate the
SAML response I get back from the IdP. The problem seems to lie to the fact
that RequestAssertionConsumerService ends up using a SignatureValidator
(provided by org.opensaml.xmlsec.signature.support) which in turn tries to
find a signature validation provider using
ServiceLoader.load(SignatureValidationProvider.class) - which AFAIK will
never work in OSGi with no additional 'tricks'.
Here's the calling sequence:
And here's the problematic code (last call above):
Now, I'm pretty much aware of the problems of SPI + OSGi as well as possible
remedies using something like Aries SPI Fly *on your own code*. However,
since I - obviously - don't control the above code, trying to "SPIfy" it
myself means I end up with custom JARs, custom Karaf features to include
those JARs, etc. - not a nice place to be :)
So, I'm wondering whether I'm missing some obvious thing/workaround here...
Any ideas welcome :)
Thanks
--
View this message in context:
http://cxf.547215.n5.nabble.com/JAX-RS-SAML-Web-SSO-Validating-SAML-Response-in-OSGi-tp5781687.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
