> The XML parsing in the SAML 1.1 attribute release support is not done using > a proper XML parser. There are are probably a lot of equivalent documents > that you could pass in that the parser would fail at; similarly, you can > probably throw bad XML at it and still get a good response if you put in the > right key strings.
You are indeed correct that we do not presently use OpenSAML to parse SAML requests and that our implementation likely would accept strictly invalid requests. This is an area ripe for improvement; handling of XML namespaces in a compliant manner is one concrete benefit. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
