mace-opensaml-users - Re: non-compliant Issuer content.
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: non-compliant Issuer content.
- Date: Tue, 12 Feb 2008 10:39:02 +0100
- Organization: SWITCH
Xavier Drudis Ferran wrote:
So Ok, I understand opensaml is meant to deal with compliant SAML
assertions, not with this. I'm just commenting this because I don't
know whether opensaml should detect this and fail validation. Or fail
marshalling or something. I suspect the assertion has been generated
(ab)using opensaml for java.
Scott and I had a number of discussion about whether to validate messages or not and finally sided with the "Be conservative in what you produce; be liberal in what you accept." maxim. So OpenSAML will at the very least parse the message unless the XML is malformed or there are really screwed up data types (e.g. the element/attribute is supposed to be an int the XML has a value of "foo").
Now, you can do validation if you want. You can get the SAML schema from org.opensaml.common.xml.SAMLSchemaBuilder and then validate with that. At which point you'll learn that hardly any (probably none) products out there actually produces totally valid SAML.
I don't know how easy it is to check issuer syntax, because the
content syntax depends on the format attribute. It's best for me that
it does not fail validation, so I'm fine with what it does now, but
for opensaml in general, I don't know.
Well, the syntax is fairly easy to check as it's just a URI. You could run it through the java.net.URI class and it'll throw an exception if it's not valid. Whether the content actually *means* anything once you check that its syntax is valid is another question.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- non-compliant Issuer content., Xavier Drudis Ferran, 02/12/2008
- Re: non-compliant Issuer content., Chad La Joie, 02/12/2008
- RE: non-compliant Issuer content., Scott Cantor, 02/12/2008
- <Possible follow-up(s)>
- Re: non-compliant Issuer content., Xavier Drudis Ferran, 02/12/2008
- RE: non-compliant Issuer content., Scott Cantor, 02/12/2008
- Re: non-compliant Issuer content., Xavier Drudis Ferran, 02/12/2008
- RE: non-compliant Issuer content., Scott Cantor, 02/12/2008
Archive powered by MHonArc 2.6.16.