For what it is worth, Colm, I was able to crib your fix for the parser pool off
of Fisheye and stick it in my own code for the time being. With that in place
and the custom code below to set the signature, I end up with a signed SAML
assertion with advice that has the signature intact.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Thursday, June 18, 2015 9:07 AM
To: us...@cxf.apache.org; cohei...@apache.org; users@ws.apache.org
Subject: Signature stripped from Assertions in Advice
Some time ago, with WSS4J 1.6.x, I had a problem where if I was building a SAML
token that contained another signed SAML token in its Advice, the signature on
the inner token would be stripped clean - there'd be an element, but it would
have empty <SignatureValue/> and <DigestValue/> elements. The stripping
occurred during the call to sa.signAssertion(). I had traced the problem to
the calls to ReleaseDOM() in the AssertionWrapper.setSignature() call, and so
worked around it by writing a custom signAssertion that is pretty much the same
as what's in AssertionWrapper, but replacing setSignature with some code I
cribbed from OpenSAML.
I bring this up now because with WSS4J2, this solution isn't working for me,
because of the NPE exception I mentioned previously (it is fixed in that spot,
but this is a different spot where I am calling OpenSAML methods directly, so
the same fix doesn't apply). So I thought I'd revert back to the
SamlAssertionWrapper.signAssertion() method. But, that has the same problem as
WSS4J 1.6 - the Advice assertion has its signature stripped. As I recall, when
ReleaseDOM() is called, it releases the existing signature values so that when
WSS4J later signs the Assertion (I think I remember that the actual signing is
deferred until later?) those values are already lost, and what gets built is an
empty signature object. Since I need my Advice Assertions to retain their
signature, that doesn't work for me.
So my workaround would probably still apply if I could get past the marshalling
NPE ... can you tell me how you did that?
For what is is worth, this is what I replaced setSignature with ... my NPE's
come in with the call to "marshall".
protected final void addSignatureToAssertion(SamlAssertionWrapper sa,
Signature signature,
String signatureDigestAlgorithm)
{
if ( sa.getXmlObject() instanceof SignableSAMLObject ) {
SignableSAMLObject signableObject = (SignableSAMLObject)
sa.getXmlObject();
signableObject.setSignature(signature);
SAMLObjectContentReference contentRef =
(SAMLObjectContentReference)signature.getContentReferences().get(0);
contentRef.setDigestAlgorithm(signatureDigestAlgorithm);
try {
if ( sa.getSaml1() != null ) {
xmlObjectRegistry.getMarshallerFactory().getMarshaller(sa.getSaml1()).marshall(sa.getSaml1());
} else if ( sa.getSaml2() != null ) {
xmlObjectRegistry.getMarshallerFactory().getMarshaller(sa.getSaml2()).marshall(sa.getSaml2());
}
} catch ( MarshallingException e ) {
e.printStackTrace();
}
try {
Signer.signObject(signature);
} catch ( SignatureException e ) {
e.printStackTrace();
}
}
}
Thanx,
Stephen W. Chappell
