Hi,
I have been trying
to get signed SAML assertions into a message that I then add headers to, and
sign using WSS4J 1.5.
I am using Axis 1.x
(1.2.1 and 1.4) and with WSS4J 1.5 I am using XML-Security 1.3.0 and
OpenSAML, also I have java 1.4 and as a result I have Xerces 2.8.0 and xml-apis
1.3.03 in my endorsed directory.
***The
Problem***
is that when I try to pass a message containing a signed object to the handlers
that add the wss security headers and sign the whole message, I break the
integrity of the internal signed object. The exact moment this happens
seems to be when an javax.xml.rpc.handler.Handler is invoked on the message to
insert the wss headers.
I have come across
some postings that seem to point to the same problems I am
having:
Like in the
postings, I tried to modify enableNamespacePrefixOptimization but it prevented
my signed SOAP messages from validation.
After many attempts,
I have cobbled together a working demo. The basic strategy I have been
using is to sign the assertion and message at the same time in a handler
(extends org.apache.axis.handlers.BasicHandler) right before sending out (read:
end of chain). Then I verify both message and internal assertion before
the wss headers are modified at all. I have had some success with this,
but I am limited by this solution. Additionally, I would like an easy way
to use the OpenSAML libraries to have the objects sign themselves and then not
have to worry about them being disrupted by my SOAP engine.
***Request for Input***
I am thinking this use case might be a lost cause in
axis1.x. However if anyone could recommend further solutions;
including other technologies (other than axis1.4) that have been
proven to pass signed messages (and signed parts within signed messages) along
to SOAP without "mucking" with the XML I would really appreciate
it.
At this point I am
assuming this is an Axis1.x issue and not from wss4j although if anyone has more
insight on this I would be open to it.
