Hello
I'm trying to append a SAML-assertion signed by an external STS to my
Security header.
But when I call the build-method in WSSecSignatureSAML I get an NPE.
The reason for this seem to be that wss4j in trying to sign the
SAML-assertion once more even if it alredy has been signed. It happens in
this toDOM()-method in the org.apache.ws.security.saml.ext.
OpenSAMLUtil-class (which is always called when calling the build-method
in WSSecSignatureSAML).
Here is the part in the toDOM()-method where the signing is done:
// Sign the assertion if the signature element is present.
if (xmlObject instanceof org.opensaml.saml2.core.Assertion) {
org.opensaml.saml2.core.Assertion saml2 =
(org.opensaml.saml2.core.Assertion) xmlObject;
// if there is a signature, but it hasn't already
been signed
if (saml2.getSignature() != null) {
if (log.isDebugEnabled()) {
log.debug("Signing SAML v2.0 assertion...");
}
try {
Signer.signObject(saml2.getSignature());
} catch (SignatureException ex) {
throw new WSSecurityException("Error signing a
SAML assertion", ex);
}
}
} else if (
But.., shouldn't there be a call to saml2..isSigned() to check that we are
not trying to sign an alredy signed assertion, i.e
it sholud look like this:
// if there is a signature, but it hasn't already been
signed
if (saml2.getSignature() != null && !saml2.isSigned()) {
if (log.isDebugEnabled()) {
log.debug("Signing SAML v2.0 assertion...");
}
try {
Signer.signObject(saml2.getSignature());
} catch (SignatureException ex) {
throw new WSSecurityException("Error signing a
SAML assertion", ex);
}
}
} else if (
The reason why I get the NPE is because it is not possible to call Signer.
signObject(saml2.getSignature()) above, without having a private key. It
is not possible because it is the STS's private key that should be used,
and I don't have that key. It shouldn't be neccessary either, because I
cannot see why the assertion should be signed once more if it already is
signed.
/Pär-Johan Lif
