Skip to Content.
Sympa Menu

mace-opensaml-users - org.opensaml.MalformedException while Parsing Assertion

Subject: OpenSAML user discussion

List archive

org.opensaml.MalformedException while Parsing Assertion


Chronological Thread 
  • From:
  • To:
  • Subject: org.opensaml.MalformedException while Parsing Assertion
  • Date: Wed, 17 May 2006 08:30:14 -0400 (EDT)

Here is an interesting problem,

Current Environment:
OS: Windows XP
JDK: 1.4.2.07 - created an endorsed directory in my JRE and added endored jars
openSAML 1.1b
I also have WSS4J (version 1.0.0)... not sure if that would cause any
conflict issues.

So I will be the first to say that I don't know everything about the SAML
spec, but I was fairly sure that you could use an X.509 cert as the
confirmation data so basically that is what I am trying to do. Plus sign the
SAML assertion with another key.

I get through the creation of the SAML Assertion fine. I output that to
System.out, and get this:

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
AssertionID="_e43d527837c543f8fd98686f72b81a3d"
IssueInstant="2006-05-17T12:09:13.589Z" Issuer="CN=Brad P. Lawrence,
CN=Users,..." MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2006-05-17T12:09:11.020Z"
NotOnOrAfter="2006-05-17T12:14:11.740Z"></Conditions><AuthenticationStatement
AuthenticationInstant="2006-05-17T12:08:38.360Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"><Subject><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod><saml:SubjectConfirmationData><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
MIICzDCCAjUCBERkqXUwDQYJKoZIhvcNAQEEBQAwgawx... - base 64 X.509 certificate
data.
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></saml:SubjectConfirmationData></SubjectConfirmation></Subject></AuthenticationStatement><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#_e43d527837c543f8fd98686f72b81a3d">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="code ds kind
rw saml samlp typens #default xsd
xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>nqt0V5VSIvFmPFkp/RnOuPloH1U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
h+Zju89l1ABSQw0/HKHjGwNkDO2BJ6DP5sul8aWW6HgdzViFBnuBbKhLW4ZfHYQET+bk6Kzd3I2j
SbUBb6rrlAHzcGdDyUA5FgCy+HQnCfPLdDkEZeYc5MMEUdgTWgDfyQUMHRhoAXnin9Sh5sv49GhW
8aHrcBBjgg4fjYG7Lvk=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICvDCCAiUCBERkqcIwDQYJKoZIhvcNAQEEB... - base 64 X.509 certificate data.
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature></Assertion>

I get no errors upon creation, although if I remove the confirmation method I
do get a MalformedException saying my Subject is malformed because it doesn't
have a confirmation method or a Name identifier. I have also attempted other
confirmation methods just to see what would occur, and again I get no errors
on creation.

I then output this SAML Assertion to an output stream, then read it back in
with:

javax.xml.parsers.DocumentBuilder.parse(new InputSource(new
StringReader(outputStream.toString())));

Get that DOM doc and then get the element within that document that
corresponds to the Assertion and output it to the System.out and verify that
it is exactly the same as the above SAML Assertion.

Then I try to construct a SAMLAssertion out of it:

SAMLAssertion samlAssertion = new SAMLAssertion(element);

And I get an InvocationTargetException caused by my MalformedException:

Caused by: org.opensaml.MalformedException: Subject is invalid, requires
either NameIdentifier or at least one ConfirmationMethod
at org.opensaml.SAMLSubject.checkValidity(SAMLSubject.java:360)
at org.opensaml.SAMLSubject.fromDOM(SAMLSubject.java:166)
at org.opensaml.SAMLSubject.<init>(SAMLSubject.java:111)
at
org.opensaml.SAMLSubjectStatement.fromDOM(SAMLSubjectStatement.java:78)
at
org.opensaml.SAMLAuthenticationStatement.fromDOM(SAMLAuthenticationStatement.java:177)
at
org.opensaml.SAMLAuthenticationStatement.<init>(SAMLAuthenticationStatement.java:159)
... 26 more
com.lmco.ncsp.security.implementations.NCSPSAMLException: Subject is invalid,
requires either NameIdentifier or at least one ConfirmationMethod
at
com.lmco.ncsp.security.implementations.NCSPSamlImpl.testParseSAML(NCSPSamlImpl.java:258)
at
com.lmco.ncsp.security.test.SAMLTest.testSAMLGeneration(SAMLTest.java:58)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at junit.framework.TestCase.runTest(TestCase.java:154)
at junit.framework.TestCase.runBare(TestCase.java:127)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:208)
at junit.framework.TestSuite.run(TestSuite.java:203)
at junit.framework.TestSuite.runTest(TestSuite.java:208)
at junit.framework.TestSuite.run(TestSuite.java:203)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:478)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:344)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)

I am not sure what is going on, I am fairly sure I have a confirmation method
in there at least my output to System.out shows it being in there.

Any ideas because I am stumped?




Archive powered by MHonArc 2.6.16.

Top of Page