OpenSAML user discussion

[Asa Hardcastle <>]

Hi All,

I understand that the library does not allow an xml child to be the  
child of two different parents.   Is there anything wrong with simply  
calling myobject.setParent(null) on the child?  It seems to work.   So  
does removing it from the parent with  
myparent.getMyObjectList().remove(myobject)

My use case is that I have a SAML Assertion (sometimes an  
EncryptedAssertion) that is passed inside of a SOAP header as a bearer  
token.  Once I have obtained the credentials, I want to make a number  
of requests without re-authenticating.



java.lang.IllegalArgumentException: {urn:oasis:names:tc:SAML:2.0:assertion 
}EncryptedAssertion is already the child of another XMLObject and may  
not be inserted in to this list
	at  
org 
.opensaml 
.xml.util.XMLObjectChildrenList.setParent(XMLObjectChildrenList.java: 
202)
	at  
org 
.opensaml 
.xml.util.XMLObjectChildrenList.add(XMLObjectChildrenList.java:147)
	at  
org 
.opensaml 
.xml.util.XMLObjectChildrenList.add(XMLObjectChildrenList.java:1)
        at java.util.AbstractList.add(AbstractList.java:89)
        at 
org.openliberty.wsc.WSFMessage.createWSFMessage(WSFMessage.java:151)
	at  
org 
.openliberty.wsc.DiscoveryService.invokeWithEPR(DiscoveryService.java: 
262)
	at  
org 
.openliberty 
.wsc 
.test 
.ClientLibTest.queryDiscoveryServiceForServiceEPRs(ClientLibTest.java: 
639)
        ...


thanks,

asa




> You can certainly sign them with the same *key*, but you can't reuse  
> the
> same Signature object.  You need to create a new Signature object for
> each SignableXMLObject that will be signed, and set all the parameters
> on each Signature appropriately.  The library error you're seeing  
> occurs
> because an XMLObject can not be the child of two different parents.
>
> This library issue aside, you probably wouldn't want to do this  
> anyway.
> It is likely that the Reference element(s) in the two signatures (as
> signified by the the ContentReference object(s) that you add to the
> Signature object) would need to be different, since they likely  
> point to
> different things that are being signed.  As far as I know, this would
> definitely be the case in any SAML signing one might want to do.
>
> --Brent
>
>
> Mike Klein wrote:
> > I know at a minimum it is assertions most important to sign but I
> > thought I should sign enclosing response as well...but I get error  
> > when
> > doing this.
> >
> >        Signature sig = SAMLUtil.getSignature(response);
> >        assertion.setSignature(sig);
> >        String signedEncodedResponse = SAMLUtil.marshall(response,  
> > sig,
> > true);
> >
> > As soon as I set signature on assertion I get following:
> >
> > java.lang.IllegalArgumentException:
> > org.opensaml.xml.signature.impl.SignatureImpl cannot be added - it is
> > already the child of another SAML Object
> >    at
> > org 
> > .opensaml 
> > .xml.AbstractXMLObject.prepareForAssignment(AbstractXMLObject.java: 
> > 370)
> >
> > How should I be going about this? Is perhaps signing just broken in  
> > this
> > sense?




--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7