Results 1 to 1 of 1

Thread: Add custom SAML Assertion to Security Element?

  1. Jun 21st, 2012, 11:29 AM #1
    benze
    benze is offline Member
    Join Date
    May 2011
    Posts
    81

    Default Add custom SAML Assertion to Security Element?

    Hi,

    I'm sure I'm going about this wrong. Any pointers would be greatly appreciated.

    I have a Spring-WS client that I am writing using the WebServiceTemplate. The service that I am consuming requires me to sign the body and include a SAML token in the header. The SAML token itself is somewhat of a dummy token - it is not generated by an SSO service at this point. I have the contents of the SAML assertion that I want to insert, but I just do not understand how to do it.

    At the moment, I have figured out how to configure the Wss4jSecurityInterceptor to sign the body, however I do not know/understand how to best add the SAML assertion to the Security header. I tried to hack it in using a Callback, but it would seem that the interceptors are fired after the callbacks, so that doesn't help me.

    I have managed to hack it into the Wss4jSecurityInterceptor, but my solution is unbearably ugly. Functional, but a real train wreck to look at.

    Code:
    public class SAMLInterceptor extends Wss4jSecurityInterceptor {

	/* (non-Javadoc)
	 * @see org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor#secureMessage(org.springframework.ws.soap.SoapMessage, org.springframework.ws.context.MessageContext)
	 */
	@Override
	protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException {
		super.secureMessage(soapMessage, messageContext);
		
		String samlAssertion = "";
		try {
			samlAssertion = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("requests/samlAssertion.xml") );
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		
		// insert SAML
		SoapHeader soapHeader = soapMessage.getSoapHeader();
		Iterator<SoapHeaderElement> it = soapHeader.examineHeaderElements(new QName( "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security", "wsse" ) ); 
		if( it.hasNext() ) {
			Transformer transformer;
			try {
				transformer = TransformerFactory.newInstance().newTransformer();
				transformer.transform(new StringSource(samlAssertion), it.next().getResult());
			} catch (TransformerException e) {
				// TODO Auto-generated catch block
				e.printStackTrace();
			}
		}	

	}


}
    Is there a cleaner/simpler solution for this?

    Thanks,

    Eric
    Last edited by benze; Jun 21st, 2012 at 11:48 AM. Reason: Added ugly Interceptor code
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules