I’ve been working with Apache CXF and WSS4J to implement a SecurityTokenService.

Using a “CustomClaimsHandler” implementing "org.apache.cxf.sts.claims.ClaimsHandler" I can create a SAML token containing this kind of attributes :

<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
               <saml2:AttributeValue xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>

The thing is I am now trying to create an attribute with some XML content. For exemple :

<saml2:Attribute Name="http://my/xml/content">
               <saml2:AttributeValue xsi:type="???">
        <somthing>
<somthingElse>text</somthingElse>
        </somthing>
</saml2:AttributeValue>
</saml2:Attribute>

I’ve looked at making a custom implementation of a “ClaimsAttributeStatementProvider” (org.apache.cxf.sts.claims) but I seem to have to use the “AttributeBean” class of WSS4J. But this class doesn’t seem to let me change the type.

Does someone now how to deal with this issue ?

======================================================================

Edit following Colm's answer :

I added a dependency to opensaml-core v3.0.0 in my CXF STS project to obtain the “org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport” class as shown in the exemple you pointed to me. Before calling the XMLObjectProviderRegistrySupport.getBuilderFactory() I seemed to have to initialize the configuration of opensaml. I didn’t manage to use the embedded configuration that I suppose my WSS4J in CXF is using. I managed the initialization calling “org.opensaml.core.config.InitializationService.initialize();”

All seems good for the creation of the AttributeBean with an XSAny type.

The problem is when WSS4J tries to Handle the SAMLCallback :

Caused by: java.lang.ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyBuilder cannot be cast to org.opensaml.xml.XMLObjectBuilder at org.opensaml.xml.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:236) at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:182) at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:166) at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:143) at org.apache.wss4j.common.saml.OpenSAMLBootstrap.initializeXMLTooling(OpenSAMLBootstrap.java:105) at org.apache.wss4j.common.saml.OpenSAMLBootstrap.bootstrap(OpenSAMLBootstrap.java:86) at org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine(OpenSAMLUtil.java:61) at org.apache.wss4j.common.saml.SamlAssertionWrapper.(SamlAssertionWrapper.java:204) at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSamlToken(SAMLTokenProvider.java:303) at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:122) ... 45 more

I suppose I have a version issue :

Either I’d have to make my STS’s configuration of opensaml aware of my opensaml-core v3.0.0 classes Or I’d have to use a different version of CXF to get a newer version of WSS4J.

My version of CXF is 3.0.1 and has a dependency on WSS4J-ws-security-common in version 2.0.1 witch has a dependency on opensaml version 2.6.1

Do you have an idea of how to resolve this problem ?

Regards

=========================

EDIT Colm resolved issue in post : SAML2 assertion with home defined AttributeBean in CXF