OpenSAML user discussion

[Nathan Hook <>]

Thank you for the nice reply.

I was concerned that the current soap tools on the market might not work out so great.  I think I'm going to look into both CXF (xFire2) and Spring-WS.  It looks like spring will allow for custom marshallers, which I'm hoping will allow us to either use the openSAML marshallers or at the very least pass the body xml string to a different service.

If I'm able to get anything to work properly I let you know.

Thank you for your time.


> Date: Wed, 28 Jul 2010 07:28:17 -0400
> From:
> To:
> Subject: Re: [OpenSAML] Proper SOAP Handeling
>
> OpenSAML is not meant to be a generic SOAP stack. It provides some very
> basic APIs to do just enough SOAP handling to cover what the standard
> SAML profiles require.
>
> You can use products like Axis and XFire but you should be aware that:
> - there are no standard APIs for this so when you go from one tool to
> another you have to marshall and serialize the XML out of OpenSAML and
> then deserialize and unmarshall it back in to whatever APIs the other
> tool uses
> - these tools do not make any guarantees that they will keep the XML
> you give them in tact, in fact they rarely do. This will break any
> signatures that you create.
> - these tools offer almost nothing in the way of actually security.
> Things like Axis's Rampart module are a complete joke.
>
> As for the OpenSAML APIs, yes you have to use the getUnknownXMLObjects
> because there really is no way, from an API standpoint, to know what is
> in the body. It could be anything.
>
> And no, the library does not do SOAP fault handling. As the javadocs
> say, the OpenSAML library is about constructing and reading in messages
> it is not about processing them (outside of basic very basic "is this
> even a valid message" checks).
>
> On 7/27/10 4:16 PM, Nathan Hook wrote:
> > I'm fairly new to openSAML, so please try to ignore the possible naivety
> > of my questions below.
> >
> > I'm having difficulties figuring out how to properly parse and construct
> > SAML SOAP messages. Our product is required to be both a provider and
> > consumer of SAML messages.
> >
> > Our application stack includes the following products: Tomcat, Spring
> > 2.5.6 (which includes using Spring MVC), xmltooling 1.2.0., and opensaml
> > 2.2.3 (should I be using the 2.3.1 version that is under the latest
> > directory: http://shibboleth.internet2.edu/downloads/opensaml/java/latest/)
> >
> > Should I be using a product like Axis2 or XFire to handle the SOAP
> > messaging?
> >
> > Does SAML have a way of handling SOAP Envelopes that allows us (the
> > developers) to get directly to the XML Body without having to call the
> > getUnknownXMLObjects().get(0) on the Body of the SOAP message?
> >
> > Also, does any part of SAML handle the proper usage of SOAP Faults when
> > there is something wrong in a clients SOAP request? Or would this be
> > something that we should use an external SOAP library for?
> >
> >
> >
> > ------------------------------------------------------------------------
> > Hotmail is redefining busy with tools for the New Busy. Get more from
> > your inbox. See how.
> > <http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2>
>
> --
> Chad La Joie
> http://itumi.biz
> trusted identities, delivered