mace-opensaml-users - RE: verifying signature on saml assertions
Subject: OpenSAML user discussion
List archive
- From: Scott Cantor <>
- To: 'Rakesh Aggarwal' <>,
- Cc: 'Shamik Sharma' <>, 'Ernest Mak' <>, 'Mike McEvoy' <>
- Subject: RE: verifying signature on saml assertions
- Date: Mon, 14 Apr 2003 19:48:44 -0400
- Importance: Normal
- Organization: The Ohio State University
> I am using axis API to serialize the message to and from XML.
> Corresponding axis API methods are "writeTo()" and "parse()".
> I use the following method insertSamlInHeader() to insert the
> signed saml-assertion in SOAP headers.
Right, I get it. Certainly you can insert the DOM objects that make up the
assertion into a tree from another JAXP-based package
that's using the same parser underneath, but when you dump the XML text, you
can't allow that package to muck with it and add extra
text node content like whitespace.
A lot of tools seem to do that without regard for the fact that the output
XML no longer matches the original data. That's obviously
dangerous. In the case of signatures, it's fatal.
> The (extra-whitespace) problem does seem related to axis soap
> (de)serialization. The sign() and verify() does pass when
> just using w3c Document object to wrap the samlAssertion
> Node, and using the toDOM(),
> fromDOM() methods in SAMLAssertion objects.
If you can use Axis to get hold of the SOAP DOM (the envelope), what you can
do is write your own code to output the DOM using the
c14n algorithm inside xmlsec. I don't expose that because I'm trying to hide
my use of xmlsec inside. But you can always import and
call those methods directly.
Just look at toStream() in any of the SAML classes to see how to do it.
-- Scott
---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------mace-opensaml-users--
- RE: verifying signature on saml assertions, (continued)
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/16/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/16/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
Archive powered by MHonArc 2.6.16.