OpenSAML user discussion

[Brent Putman <>]

On 4/8/10 3:48 PM, Jason Countryman wrote:
> I'm using 1.4.3, so that should be fine.  I'm trying to do something a
> little odd, something like this:
> 
> 


It might be a little odd SAML-wise, or not, but: none of that should
really have anything to do with your problem, it's much more low level
than that.



> I get the rest just fine, its the signature that bombs out.
> 


The actual exception that's being thrown:

java.security.SignatureException: object not initialized for signature
or verification

is actually coming from the java.security.Signature instance, which is
instantiated and managed by Apache xmlsec.  The OpenSAML code doesn't
interact with that at all, at least directly.

The only possible thing to check is that you are supplying a non-null
PrivateKey in your privateCredential instance, and based on your
SignatureMethod value, that it is an RSA private key.

If you are doing that, then you're doing what is expected - and the
error is caused by triggering some bug in Apache xmlsec.  The old way
that this happened (supposedly fixed, maybe not) was non-intuitive and
easy to miss - one ordinarily doesn't think that a previous operation in
a given thread should cause issues with a later operation in that
thread.  One of the dangers of the improper or sloppy use of ThreadLocal.