Hi Lennart, I would suggest the following instead:
- Retrieve the SAML action, and get the DOM Element from it of the Assertion - Retrieve the Signature action - For each signed part associated with the Signature action, compare the DOM Element of each one to see if it matches the Assertion Element retrieved above There is some code here which might be of help: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java;h=fde339cd1a98abb0aaf217a4b67dc6d9c6d78548;hb=HEAD Colm. On Fri, Nov 28, 2014 at 5:40 PM, Lennart Reuther <[email protected]> wrote: > Hi Colm, > > thanks for your answer. That means, I > > - fetch the Signature-Action, > > - extract the URI-Attribute of the Reference-element, > > - retrieve the SecurityTokenReference with the ID eq. the URI-attribute, > > - retrieve the URI of this and compare it with the ID of the assertion - > element > > if that fits well, how can I check whether the assertion was signed with this > signature? > > > Cheers from Dublin, > > > Lennart > > --------------- > > Hi, > > WSS4J considers a SAML token to be signed (with respect to the "actions") > only if there is an internal signature. In your case, you will have to > retrieve a Signature action instead + check to see that the SAML Assertion > was signed by it (indirectly). > > Colm. > > On Fri, Nov 21, 2014 at 6:55 PM, Lennart Reuther <[email protected]> > wrote: > > > Hi Apache WS-Team, > > > > first thanks for the WSS4J - library, as it really makes my life > > handling SAML-Authentication much easier. > > > > I am currently working with WSS4J-1.6.16. I have the issue, that an > > assertion-element is not recognized as signed by > > WSSecurityUtil.fetchActions, when the signing takes places via an direct > > reference. > > > > Please find attached a xml-file of the request. > > > > Debugged down, there issues goes down to the call of > > "AssertionImpl.isSigned", within xmltooling.1.3.2-1. There all elements > > children are checked for being the signature, but the direct reference > > gets ignored. > > > > Do I have to retrieve the directly referenced signature manually within > > my CallbackHandler (using DOMCallbackLookup) or is this something WSS4J > > is supposed to do on it's own? > > > > Thanks for your help, > > > > Lennart > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coderhttp://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
