OpenSAML user discussion

[Brent Putman <>]

No, this not the proper way to accomplish this in OpenSAML.  The correct way is to get a ds:Reference into the ds:Signature is by adding a ContentReference object to the Signature object.  You should not be manipulating the XMLSignature object directly.  Ideally, we wouldn't even expose that via a public method, but it is unfortunately necessary on SignatureImpl because of the way the Signer and SignatureValidator's currently work.

This does bring up an issue for Hubert, however.  You don't have to manually add a SAMLContentReference to things which are subclasses of AbstractSignableSAMLObject (note SAML not XML).  This is done for you as a convenience, since SAML is constrained as to the Reference that is allowed.  However, for general signing purposes (e.g. your EPR class), you do need to do this prior to marshalling your Signature.  Create an appropriate instance of ContentReference and add to the list exposed by Signature#getContentReferences().  There's a couple of subclasses of ContentReference impls available for generic URI's and same-document fragment via ID's.

--Brent



wrote:

I believe you have to add the object to be signed to the signature using signature.addDocument(...)



Edward Thompson

(704) 383-9933
401 South Tryon Street
Three Wachovia Center, Sixth floor
Charlotte, NC 28202

Authentication & Entitlements