> The XML parsing in the SAML 1.1 attribute release support is not done using
> a proper XML parser.  There are are probably a lot of equivalent documents
> that you could pass in that the parser would fail at; similarly, you can
> probably throw bad XML at it and still get a good response if you put in the
> right key strings.

You are indeed correct that we do not presently use OpenSAML to parse
SAML requests and that our implementation likely would accept strictly
invalid requests. This is an area ripe for improvement; handling of
XML namespaces in a compliant manner is one concrete benefit.

M

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to