DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41805>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41805 Summary: Resolution of SAML 1.x ID attributes, incorrect namespace Product: Security Version: unspecified Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] In org.apache.xml.security.utils.IdResolver, there is support for brute force resolution of certain hardcoded namespace-qualified ID attributes when the DOM does not otherwise know about the ID-ness of the attributes (e.g. not schema validated). For the SAML 1.x ID attribute support, these attributes are considered: RequestID ResponseID AssertionID The bug is that the code currently treats all of these as existing in the SAML 1.x assertion namespace (URI urn:oasis:names:tc:SAML:1.0:assertion). RequestID and ResponseID however live in the SAML 1.x protocol namespace (URI urn:oasis:names:tc:SAML:1.0:protocol). The IdResolver should be modified to include this namespace URI in the array at line 164, and the code at line 266 should be updated to differentiate the 2 namespaces. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
