OpenSAML user discussion

[Brent Putman <>]

On 4/8/10 2:23 PM, Jason Countryman wrote:
> Hopefully someone has run across this before.  I'm having an issue
> trying to sign my assertion.  I've got a fully loaded up
> BasicX509Credential in privateCredential.  I'm not sure what's fallling
> apart here.
> 
> Here's my code:
> 

Your OpenSAML code looks fine, nothing wrong there.


> 
> Here's my stack trace:
> 
> java.lang.RuntimeException:
> org.apache.xml.security.signature.XMLSignatureException: object not
> initialized for signature or verification
> Original Exception was java.security.SignatureException: object not
> initialized for signature or verification
> at org.apache.xml.security.utils.SignerOutputStream.write(Unknown Source)
> at


I know this error occurs in Apache xmlsec in some cases when you are
trying to re-use the same PublicKey/PrivateKey pair in the same thread
for both signing and validation.  It tries to optimize with some caching
of Java Signature objects as ThreadLocals, and it is (or was) basically
broken.  Are you doing anything like that here?

Google for "object not initialized for signature or verification", you
should get several relevant hits.    They (Apache xmlsec developers)
reported xmlsec 1.4.3 was supposed to have fixed these, but maybe not.
What version of OpenSAML and Apache xmlsec are you using?  Do you by
chance have an older version of xmlsec mixed in there?