> Do you know what the Java settings are that would make it vulnerable
> to this attack?
Ignoring comments, the usual entity expansion and DTD issues, and a setting to
coalesce CDATA into Text nodes are the ones that can create or prevent
problems. That in combination with the actual DOM calls being done can interact
in various ways that create problems or prevent them.
The "safe" mode, insofar as anything is safe, is to ignore comments (*),
prevent DTDs from appearing and block entity expansion, and to coalesce CDATA
so it never appears in the DOM.
(*) This of course prevents signing comments. You can still use #WithComments
c14n methods, but if any comments were in the DOM when signed, the other end
will fail to validate.
Is there any reason why the standard allowed #WithComments? I cannot think a
single reason why would you want comments in SAML elements. It makes life so
much more complicated.