Shibboleth Developers

["Scott Cantor" <>]

Another overlooked consequence of switching to Xerces is that the Java
version still contains a bug that causes signing of base64 content to fail
unless a particular parser feature specific to Xerces is turned off.

The immediate consequence of this bug, aside from people using OpenSAML, is
that metadatatool can't verify signed metadata that contains certificates. A
later, less critical consequence would be the Java SP validating signed
responses if they included signed assertions, not something we need right
now.

To fix this, we have to release a patched opensaml-1.1.jar and replace the
version included with Shibboleth. I suspect we can get away with just
posting a new opensaml-1.1b package and documenting that you need to copy
that version into IDP_HOME/lib if you want metadatatool to work.

This feature appears to be off by default in Sun's version, which is why it
appeared to work before. Unfortunately, setting this Xerces feature causes a
spurious exception when using some other parser, but for now this is the
best I can think to do. A spurious warning is better than broken, and Shib
at this point requires Xerces anyway.

We can discuss on the call tomorrow.

-- Scott