OpenSAML user discussion

[Brent Putman <>]

That's what I was thinking too, but I just doubled checked and turns out 
it does always unconditionally marshall the tree into a new document:

   /** 
{@inheritDoc}
 */
   public Element marshall(XMLObject xmlObject) throws 
MarshallingException {
       try {
           Document document = 
DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
           return marshall(xmlObject, document);
       } catch (ParserConfigurationException e) {
           throw new MarshallingException("Unable to create Document to 
place marshalled elements in", e);
       }
   }



Which probably isn't going to screw up the signature related things, but 
is going to be semi-expensive because of all the node adoption, etc.  
It's definitely not a no-op.



Chad La Joie wrote:
> It should be fine.  If you try to marshall an already marshalled tree 
> it just immediately returns the cached DOM unless you marshall it in 
> such a way that you indicate it needs to be rooted in a new document 
> (which is not common).
>
> Brent Putman wrote:
> > > 2. Once the signature object has been signed (the signature value 
> > > set), does the assertion need to be marshalled again to get the sign 
> > > assertion?
> > >   
> >
> >
> > No, absolutely not, in fact that may even screw things up (can't 
> > remember exactly what marshalling an already marshalled tree does).  
> > The actual signing operation is implemented by the Apache XML 
> > Security library and operates directly on the DOM tree.  That is why 
> > you have to marshall before signing.