OpenSAML user discussion

[Brent Putman <>]

 wrote:
> Thanks for the reply Brent - I agree that the prefix should not matter - 
> and we're working on this with the other party to try and find out what 
> their tool is actually doing. They mentioned they are using some kind of 
> optimizer - and I am not sure why they would want to optimize (and 
> therefore potentially modify) signed XML.
>   

Hmm, that combination seems to be not a good one.  Adding/removing even
a single whitespace character in the signed data, much less more
invasive things, will of course break the signature, at least with all
the current c14n specs.

> This leads to another question/issue. This so called optimizer the other 
> party is using is stripping off extra namespaces - and of course that 
> causes the signature to fail. While I am not sure that they should be doing 
> that - 

Well, it will definitely break the signature, so they probably
shouldn't.  :-)

> from my end is there a way to eliminate namespaces in certain tags ?? In 
> the output below, you can see that 
> 'xmlns:ds="http://www.w3.org/2000/09/xmldsig#' is added to each tag - 
> whereas it may only be necessary at the Signature tag.  Is there a way to 
> remove this from the other tags ?? I know this probably should not be 
> necessary - but I would like to find out if that may be an option.
>   


Yeah, that was a bug in the Apache XML Security library that we use.  It
annoyed me too, and I reported it and they fixed it awhile back.  Here
was the issue on our Jira for that, with a link the the Apache bug
tracker issuer:


https://bugs.internet2.edu/jira/browse/JXT-20


If you just upgrade to the latest OpenSAML (version 2.2.1) which
includes the newer xmlsec jar, that should take care of it.  Or if you
can't do that, you should be ok just replacing your  xmlsec-1.4.1.jar
with the newer one.