Skip to Content.
Sympa Menu

mace-opensaml-users - Re: is already the child of another XMLObject and may not be inserted in to this list

Subject: OpenSAML user discussion

List archive

Re: is already the child of another XMLObject and may not be inserted in to this list


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: is already the child of another XMLObject and may not be inserted in to this list
  • Date: Fri, 08 Feb 2008 09:56:33 +0100
  • Organization: SWITCH

I think that will work, but there is no generic means of doing it (i.e. I can't create a divorce(XMLObject) method). Note that you have to do both calls, break the link from child to parent and the link from parent to child.

Asa Hardcastle wrote:
Hi All,

I understand that the library does not allow an xml child to be the child of two different parents. Is there anything wrong with simply calling myobject.setParent(null) on the child? It seems to work. So does removing it from the parent with myparent.getMyObjectList().remove(myobject)

My use case is that I have a SAML Assertion (sometimes an EncryptedAssertion) that is passed inside of a SOAP header as a bearer token. Once I have obtained the credentials, I want to make a number of requests without re-authenticating.



java.lang.IllegalArgumentException: {urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion is already the child of another XMLObject and may not be inserted in to this list
at org.opensaml.xml.util.XMLObjectChildrenList.setParent(XMLObjectChildrenList.java:202)
at org.opensaml.xml.util.XMLObjectChildrenList.add(XMLObjectChildrenList.java:147)
at org.opensaml.xml.util.XMLObjectChildrenList.add(XMLObjectChildrenList.java:1)
at java.util.AbstractList.add(AbstractList.java:89)
at org.openliberty.wsc.WSFMessage.createWSFMessage(WSFMessage.java:151)
at org.openliberty.wsc.DiscoveryService.invokeWithEPR(DiscoveryService.java:262)
at org.openliberty.wsc.test.ClientLibTest.queryDiscoveryServiceForServiceEPRs(ClientLibTest.java:639)
...


thanks,

asa




You can certainly sign them with the same *key*, but you can't reuse the
same Signature object. You need to create a new Signature object for
each SignableXMLObject that will be signed, and set all the parameters
on each Signature appropriately. The library error you're seeing occurs
because an XMLObject can not be the child of two different parents.

This library issue aside, you probably wouldn't want to do this anyway.
It is likely that the Reference element(s) in the two signatures (as
signified by the the ContentReference object(s) that you add to the
Signature object) would need to be different, since they likely point to
different things that are being signed. As far as I know, this would
definitely be the case in any SAML signing one might want to do.

--Brent


Mike Klein wrote:
I know at a minimum it is assertions most important to sign but I
thought I should sign enclosing response as well...but I get error when
doing this.

Signature sig = SAMLUtil.getSignature(response);
assertion.setSignature(sig);
String signedEncodedResponse = SAMLUtil.marshall(response, sig,
true);

As soon as I set signature on assertion I get following:

java.lang.IllegalArgumentException:
org.opensaml.xml.signature.impl.SignatureImpl cannot be added - it is
already the child of another SAML Object
at
org.opensaml.xml.AbstractXMLObject.prepareForAssignment(AbstractXMLObject.java:370)

How should I be going about this? Is perhaps signing just broken in this
sense?





--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7




--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page