Announcement Announcement Module
No announcement yet.
Add custom SAML Assertion to Security Element? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Add custom SAML Assertion to Security Element?


    I'm sure I'm going about this wrong. Any pointers would be greatly appreciated.

    I have a Spring-WS client that I am writing using the WebServiceTemplate. The service that I am consuming requires me to sign the body and include a SAML token in the header. The SAML token itself is somewhat of a dummy token - it is not generated by an SSO service at this point. I have the contents of the SAML assertion that I want to insert, but I just do not understand how to do it.

    At the moment, I have figured out how to configure the Wss4jSecurityInterceptor to sign the body, however I do not know/understand how to best add the SAML assertion to the Security header. I tried to hack it in using a Callback, but it would seem that the interceptors are fired after the callbacks, so that doesn't help me.

    I have managed to hack it into the Wss4jSecurityInterceptor, but my solution is unbearably ugly. Functional, but a real train wreck to look at.

    public class SAMLInterceptor extends Wss4jSecurityInterceptor {
    	/* (non-Javadoc)
    	 * @see,
    	protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException {
    		super.secureMessage(soapMessage, messageContext);
    		String samlAssertion = "";
    		try {
    			samlAssertion = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("requests/samlAssertion.xml") );
    		} catch (IOException e) {
    			// TODO Auto-generated catch block
    		// insert SAML
    		SoapHeader soapHeader = soapMessage.getSoapHeader();
    		Iterator<SoapHeaderElement> it = soapHeader.examineHeaderElements(new QName( "", "Security", "wsse" ) ); 
    		if( it.hasNext() ) {
    			Transformer transformer;
    			try {
    				transformer = TransformerFactory.newInstance().newTransformer();
    				transformer.transform(new StringSource(samlAssertion),;
    			} catch (TransformerException e) {
    				// TODO Auto-generated catch block
    Is there a cleaner/simpler solution for this?


    Last edited by benze; Jun 21st, 2012, 11:48 AM. Reason: Added ugly Interceptor code