OpenSAML user discussion

[Jim Cox <>]

I've used spring-ws and open saml successfully in a web application.
You are correct, it is just a matter of implementing your own
Marshaller/Unmarshaller, then delegating to open saml to do the work.

But you will run into problems if you plan to use this in Tomcat.  I was
never able to get unmarshall to work under Tomcat 6, or even when the
client was a standalone java application running under a sun 6 jre.

Spring ws relies on SAAJ to handle the xml processing. I suspect that
sun's saaj impl is not honoring the endorsed mechanism.  By the time it
gets to the Spring Marshaller, it is already a DOM that can not be
processed by open saml.  

Since SAAJ is now part of the jdk, there seems to be little motivation
to supply an alternative implementation.  If there was one that was
built explicitly on top of xerxes, you could easily plug it in, as
spring ws allows you to specify the implementation class of the message
factory. 

Oddly, this worked fine under Websphere 6.1 with the web services
feature pack installed.  I was able to use SOAPUI to send a signed
artifact resolve request to the server.  The server could verify the
signature and send back an artifact resolve response.  I suspect that
IBM's saaj message factory is already using xerxes.

I think I have some example code laying around somewhere.  If there is
an interest I can dust it off and post it somewhere. 

-Jim



On Thu, 2010-07-29 at 09:36 -0600, Nathan Hook wrote:
> Thank you for the nice reply.
> 
> I was concerned that the current soap tools on the market might not
> work out so great.  I think I'm going to look into both CXF (xFire2)
> and Spring-WS.  It looks like spring will allow for custom
> marshallers, which I'm hoping will allow us to either use the openSAML
> marshallers or at the very least pass the body xml string to a
> different service.
> 
> If I'm able to get anything to work properly I let you know.
> 
> Thank you for your time.
> 
> 
> > Date: Wed, 28 Jul 2010 07:28:17 -0400
> > From: 
> > 
> > To: 
> > 
> > Subject: Re: [OpenSAML] Proper SOAP Handeling
> > 
> > OpenSAML is not meant to be a generic SOAP stack. It provides some
> very 
> > basic APIs to do just enough SOAP handling to cover what the
> standard 
> > SAML profiles require.
> > 
> > You can use products like Axis and XFire but you should be aware
> that:
> > - there are no standard APIs for this so when you go from one tool
> to 
> > another you have to marshall and serialize the XML out of OpenSAML
> and 
> > then deserialize and unmarshall it back in to whatever APIs the
> other 
> > tool uses
> > - these tools do not make any guarantees that they will keep the
> XML 
> > you give them in tact, in fact they rarely do. This will break any 
> > signatures that you create.
> > - these tools offer almost nothing in the way of actually security. 
> > Things like Axis's Rampart module are a complete joke.
> > 
> > As for the OpenSAML APIs, yes you have to use the
> getUnknownXMLObjects 
> > because there really is no way, from an API standpoint, to know what
> is 
> > in the body. It could be anything.
> > 
> > And no, the library does not do SOAP fault handling. As the
> javadocs 
> > say, the OpenSAML library is about constructing and reading in
> messages 
> > it is not about processing them (outside of basic very basic "is
> this 
> > even a valid message" checks).
> > 
> > On 7/27/10 4:16 PM, Nathan Hook wrote:
> > > I'm fairly new to openSAML, so please try to ignore the possible
> naivety
> > > of my questions below.
> > >
> > > I'm having difficulties figuring out how to properly parse and
> construct
> > > SAML SOAP messages. Our product is required to be both a provider
> and
> > > consumer of SAML messages.
> > >
> > > Our application stack includes the following products: Tomcat,
> Spring
> > > 2.5.6 (which includes using Spring MVC), xmltooling 1.2.0., and
> opensaml
> > > 2.2.3 (should I be using the 2.3.1 version that is under the
> latest
> > > directory:
> http://shibboleth.internet2.edu/downloads/opensaml/java/latest/)
> > >
> > > Should I be using a product like Axis2 or XFire to handle the SOAP
> > > messaging?
> > >
> > > Does SAML have a way of handling SOAP Envelopes that allows us
> (the
> > > developers) to get directly to the XML Body without having to call
> the
> > > getUnknownXMLObjects().get(0) on the Body of the SOAP message?
> > >
> > > Also, does any part of SAML handle the proper usage of SOAP Faults
> when
> > > there is something wrong in a clients SOAP request? Or would this
> be
> > > something that we should use an external SOAP library for?
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > > Hotmail is redefining busy with tools for the New Busy. Get more
> from
> > > your inbox. See how.
> > >
> <http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2>
> > 
> > -- 
> > Chad La Joie
> > http://itumi.biz
> > trusted identities, delivered