Shibboleth Developers

[Scott Cantor <>]

> Of course, the link is dead, although poking around on xml.apache.org
> eventually lead me to the page I think it was referring to
> (/security/Java/installation.html).  The page looks pretty dated, and
> it's not clear to me where to get the xalan.jar file they talk about.

The JDK contains a buggy beta version of Xalan that has to be overridden
with a working copy in order to use any Xpath functions that hit the bug.
There are certain signing settings that require a working Xalan, and that's
where the error message comes from.

That said, it's my understanding that there is nothing in the current code
that requires any of those broken Xpath functions and that's why Shibboleth
appears to work for most people without requiring an endorsed version of
Xalan.

However, some people (Penn State for one) have been observing this error
message randomly on the order of a few times per hundred signing operations.
Some of us hardly ever see it (like once every few thousand).

My current take on this is that there's a completely separate bug in the
xmlsec library that happens to hit the same exception handler and trigger
this error message when the actual cause has nothing to do with Xalan. This
is totally speculative on my part.

Do you get this error every time?

-- Scott