mace-opensaml-users - signed assertions in <Evidence> in <AuthorizationDecisionStatement>
Subject: OpenSAML user discussion
List archive
- From: Giandomenico Napolitano <>
- To:
- Subject: signed assertions in <Evidence> in <AuthorizationDecisionStatement>
- Date: Tue, 2 Aug 2005 21:06:02 +0200
I'm developing a web application that obtains single assertions from various SAML responders (Shibboleth's HS and AA atm) to use them as tokens (evidence) in an AuthorizationDecisionQuery to a SAML PDP. The resulting AuthorizationDecisionStatement wil contain the evidence received in the query in addition to the actual authorization decision. Being tokens, I need single evidence assertions to mantain original signature.
In PDP I use this code to construct the Authorization statement:
Iterator i = query.getEvidence();
Object entry = null;
while(i.hasNext()) {
try {
entry = i.next();
if(entry instanceof SAMLAssertion) {
//why can't I remove this clone()?
statement.addEvidence(((SAMLAssertion) entry).clone());
} else if(entry instanceof String) {
statement.addEvidence(new String((String) entry));
} else log("invalid evidence");
} catch(SAMLException e) {
log("invalid evidence"+e);
log("class:" + entry.getClass().getName());
}
}
Clone()ing the assertions removes signature, but without clone() I get a "SAMLObject.setParent() called on an already-contained object" error. The strange fact is that I don't have the same problem in the client side (the webapp) when inserting evidence in the query. The only difference is that the request containing the query is not being signed, while the assertion containing the statement contains multiple nested signatures (authZ + each evidence assertion). Maybe this is the problem? Can I have signed assertions nested as evidence in a signed assertion?
Thanks, Giandomenico Napolitano.
- signed assertions in <Evidence> in <AuthorizationDecisionStatement>, Giandomenico Napolitano, 08/02/2005
- RE: signed assertions in <Evidence> in <AuthorizationDecisionStatement>, Scott Cantor, 08/02/2005
- RE: signed assertions in <Evidence> in <AuthorizationDecisionStatement>, Scott Cantor, 08/02/2005
- Re: signed assertions in <Evidence> in <AuthorizationDecisionStatement>, Giandomenico Napolitano, 08/03/2005
- RE: signed assertions in <Evidence> in <AuthorizationDecisionStatement>, Scott Cantor, 08/03/2005
- Re: signed assertions in <Evidence> in <AuthorizationDecisionStatement>, Giandomenico Napolitano, 08/03/2005
Archive powered by MHonArc 2.6.16.