Hi, The WSSecSignatureSAML is used to sign a SAML Assertion. If you're getting a signed SAML Assertion from an external STS then why not just append it to the security header directly?
Colm. On Tue, Sep 27, 2011 at 11:29 AM, <[email protected]> wrote: > Hello > > I'm trying to append a SAML-assertion signed by an external STS to my > Security header. > But when I call the build-method in WSSecSignatureSAML I get an NPE. > The reason for this seem to be that wss4j in trying to sign the > SAML-assertion once more even if it alredy has been signed. It happens in > this toDOM()-method in the > org.apache.ws.security.saml.ext.OpenSAMLUtil-class (which is always called > when calling the build-method in WSSecSignatureSAML). > Here is the part in the toDOM()-method where the signing is done: > > > // Sign the assertion if the signature element is present. > if (xmlObject instanceof org.opensaml.saml2.core.Assertion) { > org.opensaml.saml2.core.Assertion saml2 = > (org.opensaml.saml2.core.Assertion) xmlObject; > // if there is a signature, but it hasn't already > been signed > if (saml2.getSignature() != null) { > if (log.isDebugEnabled()) { > log.debug("Signing SAML v2.0 assertion..."); > } > try { > Signer.signObject(saml2.getSignature()); > } catch (SignatureException ex) { > throw new WSSecurityException("Error signing a SAML > assertion", ex); > } > } > } else if ( > > But.., shouldn't there be a call to saml2..isSigned() to check that we are > not trying to sign an alredy signed assertion, i.e > it sholud look like this: > > // if there is a signature, but it hasn't already been > signed > if (saml2.getSignature() != null && !saml2.isSigned()) { > if (log.isDebugEnabled()) { > log.debug("Signing SAML v2.0 assertion..."); > } > try { > Signer.signObject(saml2.getSignature()); > } catch (SignatureException ex) { > throw new WSSecurityException("Error signing a SAML > assertion", ex); > } > } > } else if ( > > The reason why I get the NPE is because it is not possible to call > Signer.signObject(saml2.getSignature()) above, without having a private key. > It is not possible because it is the STS's private key that should be used, > and I don't have that key. It shouldn't be neccessary either, because I > cannot see why the assertion should be signed once more if it already is > signed. > > > /Pär-Johan Lif -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
