OpenSAML user discussion

[Chad La Joie <>]

OpenSAML is not meant to be a generic SOAP stack.  It provides some very 
basic APIs to do just enough SOAP handling to cover what the standard 
SAML profiles require.

You can use products like Axis and XFire but you should be aware that:
  - there are no standard APIs for this so when you go from one tool to 
another you have to marshall and serialize the XML out of OpenSAML and 
then deserialize and unmarshall it back in to whatever APIs the other 
tool uses
  - these tools do not make any guarantees that they will keep the XML 
you give them in tact, in fact they rarely do.  This will break any 
signatures that you create.
  - these tools offer almost nothing in the way of actually security. 
Things like Axis's Rampart module are a complete joke.

As for the OpenSAML APIs, yes you have to use the getUnknownXMLObjects 
because there really is no way, from an API standpoint, to know what is 
in the body.  It could be anything.

And no, the library does not do SOAP fault handling.  As the javadocs 
say, the OpenSAML library is about constructing and reading in messages 
it is not about processing them (outside of basic very basic "is this 
even a valid message" checks).

On 7/27/10 4:16 PM, Nathan Hook wrote:
> I'm fairly new to openSAML, so please try to ignore the possible naivety
> of my questions below.
>
> I'm having difficulties figuring out how to properly parse and construct
> SAML SOAP messages. Our product is required to be both a provider and
> consumer of SAML messages.
>
> Our application stack includes the following products: Tomcat, Spring
> 2.5.6 (which includes using Spring MVC), xmltooling 1.2.0., and opensaml
> 2.2.3 (should I be using the 2.3.1 version that is under the latest
> directory: http://shibboleth.internet2.edu/downloads/opensaml/java/latest/)
>
> Should I be using a product like Axis2 or XFire to handle the SOAP
> messaging?
>
> Does SAML have a way of handling SOAP Envelopes that allows us (the
> developers) to get directly to the XML Body without having to call the
> getUnknownXMLObjects().get(0) on the Body of the SOAP message?
>
> Also, does any part of SAML handle the proper usage of SOAP Faults when
> there is something wrong in a clients SOAP request? Or would this be
> something that we should use an external SOAP library for?
>
>
>
> ------------------------------------------------------------------------
> Hotmail is redefining busy with tools for the New Busy. Get more from
> your inbox. See how.
> <http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2>

--
Chad La Joie
http://itumi.biz
trusted identities, delivered