In Axis2/Rampart, how can I get SAML Assertion in PasswordCallBackHandler

Question

I am securing my SOAP based Web Services using STS. The tokens are SAML 1.0 tokens. The SAML tokens are added in SOAP Header as security header. I need the SAMLAssertions as I need to get the nameIdentifier from the SAMLAssertion.

Can I get hold of the SAMLAssertion in PasswordCallBackHandler class. Is there any other way of doing it.

Answer 1

Finally I was able to identity a way to do what I wanted. I will list down the solution point wise :

• Its not possible via Password CallBackHandler as axis does not give access to the MessageContext.

• Solution is to create a Custom Handler class which extends org.apache.axis2.handlers.AbstractHandler . Since in my case its a SAML2 Security Token, I wanted my handler to be called 'post-security' phase in 'InFlow' phaseorder. This ensures that the security header has passed the security phase. The handler class has a invoke method which has a MessageContext as its parameter. MessageContext gives you access to the whole SOAPEnvelope and its content. Following is the skeleton code you can build on :

    public class LIMSConHandler extends AbstractHandler  {
        private Log LOG = LogFactory.getLog(LIMSConHandler.class);
  
        public InvocationResponse invoke(MessageContext ctx) throws  AxisFault {
  
        //following code gives you access to the soapEnvelope
        SOAPEnvelope msgEnvelope = ctx.getEnvelope();
        SOAPHeader msgHeader = msgEnvelope.getHeader();
        //add your logic to extract the security header and SAML assertion
  
        return InvocationResponse.CONTINUE;
   }
  

Bind this handler to the 'Post-Security' custom phase in axis2.xml

    <phaseOrder type="InFlow">
     .........
    <phase name="Security"/>
    <phase name="PostSecurity">
    <handler name="LIMSConHandler"    class="labware.web.ws.control.LIMSConHandler"/>

I welcome input on this.