OpenSAML user discussion

[Brent Putman <>]

 wrote:
> Hi Brent
>
> Thanks for updating the signing information. Could you clarify a couple of 
> areas for me.
>
> 1. In your example you have the following code. You marshall the assertion 
> with the signature attached but don't store it anywhere. Then you sign the 
> signature object. How does the Signer.signObject get the marshalled assertion 
> in order to generate the signature.
>   

When you marshall an XMLObject tree, each resulting new DOM Element is 
essentially stored on its corresponding XMLObject.  See the getDOM() and 
setDOM() methods on XMLObject.  So prior to marshalling the assertion, 
assertion.getDOM() would have returned null (assuming you hadn't 
unmarshalled it originally or otherwise previously marshalled it).  
After marshalling, it will return the DOM Element that is the Assertion 
node in the DOM tree of nodes.

Marshalling  basically results in a new (usually, unless it already had 
one) tree of DOM Nodes being grafted onto the existing tree of XMLObjects.

The Marshaller#marshall(XMLObject) method does return the DOM Element 
for the object being marshalled, if you want to then serialize it, etc.  
I didn't illustrate that.  But the signing process gets it straight from 
the object via getDOM().


> 2. Once the signature object has been signed (the signature value set), does 
> the assertion need to be marshalled again to get the sign assertion?
>   


No, absolutely not, in fact that may even screw things up (can't 
remember exactly what marshalling an already marshalled tree does).  The 
actual signing operation is implemented by the Apache XML Security 
library and operates directly on the DOM tree.  That is why you have to 
marshall before signing.


--Brent