mace-opensaml-users - Re: [OpenSAML] Proper SOAP Handeling
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] Proper SOAP Handeling
- Date: Wed, 28 Jul 2010 07:28:17 -0400
- Organization: Itumi, LLC
OpenSAML is not meant to be a generic SOAP stack. It provides some very basic APIs to do just enough SOAP handling to cover what the standard SAML profiles require.
You can use products like Axis and XFire but you should be aware that:
- there are no standard APIs for this so when you go from one tool to another you have to marshall and serialize the XML out of OpenSAML and then deserialize and unmarshall it back in to whatever APIs the other tool uses
- these tools do not make any guarantees that they will keep the XML you give them in tact, in fact they rarely do. This will break any signatures that you create.
- these tools offer almost nothing in the way of actually security. Things like Axis's Rampart module are a complete joke.
As for the OpenSAML APIs, yes you have to use the getUnknownXMLObjects because there really is no way, from an API standpoint, to know what is in the body. It could be anything.
And no, the library does not do SOAP fault handling. As the javadocs say, the OpenSAML library is about constructing and reading in messages it is not about processing them (outside of basic very basic "is this even a valid message" checks).
On 7/27/10 4:16 PM, Nathan Hook wrote:
I'm fairly new to openSAML, so please try to ignore the possible naivety
of my questions below.
I'm having difficulties figuring out how to properly parse and construct
SAML SOAP messages. Our product is required to be both a provider and
consumer of SAML messages.
Our application stack includes the following products: Tomcat, Spring
2.5.6 (which includes using Spring MVC), xmltooling 1.2.0., and opensaml
2.2.3 (should I be using the 2.3.1 version that is under the latest
directory: http://shibboleth.internet2.edu/downloads/opensaml/java/latest/)
Should I be using a product like Axis2 or XFire to handle the SOAP
messaging?
Does SAML have a way of handling SOAP Envelopes that allows us (the
developers) to get directly to the XML Body without having to call the
getUnknownXMLObjects().get(0) on the Body of the SOAP message?
Also, does any part of SAML handle the proper usage of SOAP Faults when
there is something wrong in a clients SOAP request? Or would this be
something that we should use an external SOAP library for?
------------------------------------------------------------------------
Hotmail is redefining busy with tools for the New Busy. Get more from
your inbox. See how.
<http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [OpenSAML] Proper SOAP Handeling, Nathan Hook, 07/27/2010
- Re: [OpenSAML] Proper SOAP Handeling, Chad La Joie, 07/28/2010
- RE: [OpenSAML] Proper SOAP Handeling, Nathan Hook, 07/29/2010
- Re: [OpenSAML] Proper SOAP Handeling, Chad La Joie, 07/28/2010
Archive powered by MHonArc 2.6.16.