Skip to Content.
Sympa Menu

mace-opensaml-users - Re: creating SAMLAssertion from DOM and time zones

Subject: OpenSAML user discussion

List archive

Re: creating SAMLAssertion from DOM and time zones


Chronological Thread 
  • From: (Rami Jaamour)
  • To: Scott Cantor <>,
  • Subject: Re: creating SAMLAssertion from DOM and time zones
  • Date: Mon, 20 Dec 2004 10:47:02 -0800
  • Organization: Parasoft Corporation

You are correct, I meant:
formatter.setTimeZone(TimeZone.getTimeZone("UTC"));
I know that this format works from WSS4J (org.apache.ws.security.message.token.UsernameToken). I remember that I posted a similar fix to this WSS4J class after having some interop problem because of the time zone, so I am guessing that there is a difference, but I am not sure. Maybe UTC can be used to be safe; UTC interops well in WS-Security stuff (in WSS4J).

Regarding the DOM issue, well, I guess it is more of a DOM question than OpenSAML.  In my situation I was constructing the DOM from a sample XML String (or from a file), so I was hoping just to pass it to SAMLAssertion without needing to clone since I do not plan to access the original DOM I give to it anymore (I am creating the DOM specifically for the SAMLAssertion). Any ideas?  I would send you a reproducing code but it is intermixed with proprietary stuff, so I would need to clean it up. It might be something on my side, but I will let you know if I think it is an OpenSAML issue or if I have more details.

Rami Jaamour
Software Engineer
Web Services Solutions
Parasoft Corporation

"We Make Software Work"


Scott Cantor wrote:
If, however, I clone the node before feeding it to SAMLAssertion 
constructor, I do not get this problem. Anyway to avoid cloning? what 
could be happening here and why is cloning solving this problem?
    

I'd have to see the code, the line of code you posted doesn't really seem to
even connect to this use case since it's a serializing call, not a
constructive call.

Cloning is always necessary if you want to use the same object in two
different contexts. Think of it physically, you can't put one jellybean in
two jars. The next version I'll probably implement back-pointers so I can
detect when people try this.

As far as messing with SOAP, I use c14n when I serialize, though I think the
version released actually used inclusive for some reason. But anyway, if
something is changing the SOAP DOM, it's not me, it's the c14n code.

  
2. The IssuerInstant is created in GMT, the OASIS (SAML) V1.1 Standard, 
2 September 2003 document states that it should be in UTC. 
    

Umm...aren't they the same? Finding info online about it isn't that easy,
but I was under the impression they matched.

  
and 220 (pg 7) in the spec. Perhaps 
org.opensaml.SAMLAssertion line 288 
should be modified to:

formatter.setTimeZone(TimeZone.getTimeZone("GMT"));
    

I think you meant to propose something else. That's what the code is now. I
didn't think "UTC" was an option there, but I don't know offhand why I
thought that.

-- Scott


  



Archive powered by MHonArc 2.6.16.

Top of Page