OpenSAML user discussion

[Brent Putman <>]

Bailo, John wrote:
> Thanks for your help.   I'm basing my code on
> \org\opensaml\saml1\binding\decoding\HTTPPostDecoderTest.java.
>   

That's functionallly correct, of course, but perhaps a little convoluted
to use as a template based on the way the tests are written.  Such is
the nature of unit tests...

> The difference is that they simulate the http request in code, where I
> set up a .jsp with a FORM and SAMLRequest and target INPUT fields and I
> POST to a servlet.
>   

That's fine, it should work either way.  What you're trying to implement
here is apparently the binding behavior defined by the SAML 1.1
Browser/POST profile.  If there are any details about what that means
that are unclear, consulting the spec doc would be helpful:


http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf

See section 4.1.2

("They", btw, includes Chad and me, the primary developers of Java
OpenSAML 2.)

Actually, I just noticed you said  SAMLRequest.  That isn't a part of
SAML 1.1 Browser/POST.  Either you meant to say SAMLResponse (you're
implementing an SP, right?), or else you you intend to do SAML 2.  The
code is the same for the latter, but the decoder class (amongst many
other things....) is of course different.


> From the sample code, I culled what I think are the necessary steps to
> get me to decode a SAML 1.1 object that is 64encoded in a FORM.
> According to the documentation link you sent me, "When fetching an
> unmarshaller based on an element the factory first checks to see if the
> element has a schema type specified by an xsi:type attribute. If it
> does, the factory attempts to lookup an unmarshaller for that schema
> type", so I assume that the BasicSAMLMessageContent object unmarshalls
> and attempts to use the matching schema in the same way.
>   

Yes, mostly correctly, but it's not the message context itself that does
the unmarshalling.  It uses factories exposed by the global
org.opensaml.Configuration to resolve builders, unmarshallers and
marshallers.  On unmarshalling, resolution is first attempted based on
the xsi:type QName, if present; if not, or not registered, then uses the
Element QName.

> I am using:
>
> import org.opensaml.saml1.binding.decoding.HTTPPostDecoder;
>
> My method is below.  I believe it's the necessary and sufficient number
> of steps to get me to being able to decode the SAMLResponse.
>
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response) throws ServletException, IOException {
>
>                       SAMLMessageDecoder decoder;
>                       
>                       try {
>
>               messageContext = new BasicSAMLMessageContext();
>                  messageContext.setInboundMessageTransport(
>                               new HttpServletRequestAdapter(request));
>               
>               decoder = new HTTPPostDecoder(null);
>                  decoder.decode(messageContext);
>                               } catch (MessageDecodingException e) {
>                               } catch (SecurityException e) {}
>               
>
>       }
>
>   

That code looks functionally correct for the decoder.  You do however
need to call DefaultBootstrap.bootstrap() to initialize the library
before you do any of this, as I've already noted. Amongst other things,
that loads up the Configuration factories with the implementation
classes.  Note that the unit test does in fact call the bootstrap, it
just does it in a superclass setUp() method.  You only need and want to
do it once, in your apps init/startup code, wherever that is.


> Yet, decode(messageContext) throws an exception.
>   

The same error that you previously posted?  Then you need to init the
library as we've already noted.  If a different error, then please post it.

--Brent