OpenSAML user discussion

["Stepan Hrbacek" <>]

2008/12/4 Scott Cantor <>

> I don't think that using non-namespace-qualified content inside SAML data
> (AttributeValue) causes some problems for DOM API or XML signatures
because
> for our use case we have found following workaround that at the end
produced
> valid XML data (SAML Assertion), with valid XML signatures.

No, you haven't. You got lucky and the code you used was buggy and just
happened to work. What you're describing is invalid. There is no way to use
non-namespace-qualified XML within a namespace-aware environment because the
syntax overlaps (an unqualified element is considered to be in the default
namespace). It isn't even a DOM issue per se, it's simply invalid in XML
terms and doesn't mean what you think it does.

You can of course encode the XML in some fashion (e.g. base64) so that it is
invisible to the surrounding XML and can be parsed as non-namespace-aware
XML separately.

Thank you for this argument Scott! I hope this will finally convince our contractor to change his WS implementation. So far we were unsuccessful with our arguments!
 

> Thus I think the issue we experienced is:
> - either in the way we use OpenSAML to create AttributeValue with complex
> DOM data,
> - or it's a XmlTooling issue we reported in
> https://bugs.internet2.edu/jira/browse/JXT-42 (but this was refused by the
> XmlTooling expert)

It's neither.

There may or may not be issues with the AttributeValue handling, but there
is absolutely no way that the existing code will ever or could ever allow
non-namespaced XML to be used anywhere.

Good to know.
 

-- Scott

--Stepan