mace-opensaml-users - Re: Verify a SAML token
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: Verify a SAML token
- Date: Tue, 05 Jun 2007 19:56:34 -0400
- Organization: OIS - Middleware
At the moment we do not, but part of all the pain we've been going through with this final rework of that part of the code was, in part, to be able to support things like that in such a way that one could add the support without having to change anything else about how you validate items, represent credentials, sign/encrypt things, etc.
If, once this work is done, you wanted to add support for this I can probably help point you at the right place to add it and once we have it tested I don't see a problem incorporating it into the main code base. if you're interested you can put a bug into the XMLTooling project, security component, and then just ping me later, after the release, to this discussion back up.
Mike Mattozzi wrote:
Thanks for the discussion... looking forward to the final release of
OpenSAML 2, I'm sure you guys are too :)
Now for a nitty-gritty question: Do you have support for xpointer? I
was working through a signature validation using the
SignatureValidator and the sample Assertion I have uses the Reference
URI="#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])"
When validate() is called on the signature, I get a nice blob of errors:
Exception in thread "main"
org.opensaml.xml.validation.ValidationException: Unable to evaluate
key against signature
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:75)
at samltest.Samltest.parseSAML1withCert(Samltest.java:160)
at samltest.Samltest.main(Samltest.java:67)
Caused by: org.apache.xml.security.signature.XMLSignatureException:
The Reference for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.MissingResourceFailureException: The
Reference for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
has no XMLSignatureInput
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException:
Could not find a resolver for URI
#xpointer(/*[local-name()='Envelope']/*[local-name()='Header']/*[local-name()='Security']/*[local-name()='Assertion'][1])
and Base
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(Unknown
Source)
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:68)
... 2 more
I tried replacing the URI with just the assertion id, in which case it
seems to find everything it's looking for just fine, but then the
fails with "Signature did not validate against the credential's key"
which I guess makes sense given the fact that I just changed part of
the XML (or would this part be excluded from the signing?)
Either way, is there any way I can get this xpointer to resolve?
thanks!
On 6/5/07, Scott Cantor
<>
wrote:
Mike Klein wrote:
> I am using routines documented on this page to verify signer of identity
> document and to verify/sign assertions. Code seems to work fine and
> messages are tamper-proof.
Yes, as long as your use case is simple enough that a single
predetermined certificate is available for each signer and you do the
mapping between who the signer is and where the certificate is.
> Grabbing a public cert from a keystore can be done in 3 lines of code or
> so...this isn't an issue. OpenSAML won't provide you an uber-keystore
> concept or anything I think so you'll need to load and cache them yourself.
Actually, that's pretty much exactly what it does, or will do, along with
support for TLS/SSL connection management with the same trust facilities.
-- Scott
--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124
- RE: Verify a SAML token, Mike Mattozzi, 06/04/2007
- Re: Verify a SAML token, Mike Klein, 06/04/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Chad La Joie, 06/05/2007
- Re: Verify a SAML token, Mike Klein, 06/05/2007
- Re: Verify a SAML token, Scott Cantor, 06/05/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Chad La Joie, 06/05/2007
- Re: Verify a SAML token, Brent Putman, 06/05/2007
- Signature XPointer References (was Re: Verify a SAML token), Brent Putman, 06/06/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Mike Mattozzi, 06/07/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Brent Putman, 06/07/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Mike Mattozzi, 06/08/2007
- Re: Signature XPointer References (was Re: Verify a SAML token), Brent Putman, 06/08/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Scott Cantor, 06/05/2007
- Re: Verify a SAML token, Mike Mattozzi, 06/05/2007
- Re: Verify a SAML token, Mike Klein, 06/04/2007
- Re: Verify a SAML token, Brent Putman, 06/05/2007
Archive powered by MHonArc 2.6.16.