Hi Colm, thanks for your answer. That means, I
- fetch the Signature-Action, - extract the URI-Attribute of the Reference-element, - retrieve the SecurityTokenReference with the ID eq. the URI-attribute, - retrieve the URI of this and compare it with the ID of the assertion - element if that fits well, how can I check whether the assertion was signed with this signature? Cheers from Dublin, Lennart --------------- Hi, WSS4J considers a SAML token to be signed (with respect to the "actions") only if there is an internal signature. In your case, you will have to retrieve a Signature action instead + check to see that the SAML Assertion was signed by it (indirectly). Colm. On Fri, Nov 21, 2014 at 6:55 PM, Lennart Reuther <[email protected]> wrote: > Hi Apache WS-Team, > > first thanks for the WSS4J - library, as it really makes my life > handling SAML-Authentication much easier. > > I am currently working with WSS4J-1.6.16. I have the issue, that an > assertion-element is not recognized as signed by > WSSecurityUtil.fetchActions, when the signing takes places via an direct > reference. > > Please find attached a xml-file of the request. > > Debugged down, there issues goes down to the call of > "AssertionImpl.isSigned", within xmltooling.1.3.2-1. There all elements > children are checked for being the signature, but the direct reference > gets ignored. > > Do I have to retrieve the directly referenced signature manually within > my CallbackHandler (using DOMCallbackLookup) or is this something WSS4J > is supposed to do on it's own? > > Thanks for your help, > > Lennart > -- Colm O hEigeartaigh Talend Community Coderhttp://coders.talend.com
