You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Phillip Duba <ph...@philduba.com> on 2007/05/23 22:39:03 UTC
"Cannot resolve element with ID" Error
Hopefully someone can point me in the right direction to solve this
problem. I have a SAML 1.1 Assertion being verified, however, it fails
verification as I receive a "Cannot resolve element with ID ." error.
The issue arises, from what I can tell doing a Google search, is that
the SAML Assertion 1.1 schema has the AssertionID of type ID but no ID
attribute so the Reference lookup fails. Below is my logic for
verification:
public boolean VerifySignature(String token, String certPath) throws
Exception {
//Initialize the library
org.apache.xml.security.Init.init();
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.newInstance();
dbf.setNamespaceAware(true);
dbf.setAttribute("http://xml.org/sax/features/namespaces",
Boolean.TRUE);
DocumentBuilder db = dbf.newDocumentBuilder();
db.setErrorHandler(new
org.apache.xml.security.utils.IgnoreAllErrorHandler());
byte inputBytes[] = token.getBytes();
Document doc = db.parse(new ByteArrayInputStream(inputBytes));
// Set up required ID attribute using DOM3 support
String uriRef =
doc.getDocumentElement().getAttribute("AssertionID");
Element sigElement = null;
NodeList nodes =
doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa
tureSpecNS,"Signature");
String password = "mypass";
if(nodes.getLength() !=0 ){
// Found Nodes for Signature element
sigElement = (Element)nodes.item(0);
XMLSignature signature = new
XMLSignature(sigElement,uriRef);
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new
File(certPath)),password.toCharArray());
PublicKey pubkey =
ks.getCertificate("SamlTest").getPublicKey();
return signature.checkSignatureValue(pubkey);
}
return false;
}
A sample of the XML being submitted is:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="B9B97DFA-188B-10AF-6C7D03F0B072070E"
IssueInstance="2007-05-23T16:16:20Z" Issuer="http://samltest.dev/"
MajorVersion="1" MinorVersion="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Canonic
alizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMet
hod>
<ds:Reference URI="#B9B97DFA-188B-10AF-6C7D03F0B072070E">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:T
ransform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>JF/Dh0v786ttB38KYCq1w+X+gtk=</ds:DigestValue>
</ds:Reference>
...
The system configuration versioning is limited by an application server
and is:
JDK 1.4.11
XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar
Most of the solutions I have found have focused on DOM3 capabilities
which I do not have access to or using an IdResolver with which I have
had no luck. Any help would be appreciated. Thanks,
Phil
RE: "Cannot resolve element with ID" Error
Posted by Phillip Duba <ph...@philduba.com>.
Resending as the mail-archive did not pick up my last post on this
thread:
Brent,
That worked perfectly. Here is the resulting code I used from my first
post:
..
byte inputBytes[] = token.getBytes();
Document doc = db.parse(new ByteArrayInputStream(inputBytes));
// Set up required ID attribute
Element rootElement = doc.getDocumentElement();
String uriRef =
doc.getDocumentElement().getAttribute("AssertionId");
Attr id =
doc.getDocumentElement().getAttributeNode("AssertionID");
IdResolver.registerElementById(rootElement, id);
Element sigElement = null;
NodeList nodes =
doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa
tureSpecNS,"Signature");
..
I had to use the IdResolver.(Element,Attr) method. Thanks again for your
help and hopefully this thread helps others out trying to figure this
stuff out,
Phil
RE: "Cannot resolve element with ID" Error
Posted by Phillip Duba <ph...@philduba.com>.
Brent,
That worked perfectly. Here is the resulting code I used from my first
post:
..
byte inputBytes[] = token.getBytes();
Document doc = db.parse(new ByteArrayInputStream(inputBytes));
// Set up required ID attribute
Element rootElement = doc.getDocumentElement();
String uriRef =
doc.getDocumentElement().getAttribute("AssertionId");
Attr id =
doc.getDocumentElement().getAttributeNode("AssertionID");
IdResolver.registerElementById(rootElement, id);
Element sigElement = null;
NodeList nodes =
doc.getElementsByTagNameNS(org.apache.xml.security.utils.Constants.Signa
tureSpecNS,"Signature");
..
I had to use the IdResolver.(Element,Attr) method. Thanks again for your
help and hopefully this thread helps others out trying to figure this
stuff out,
Phil
-----Original Message-----
From: Brent Putman [mailto:putmanb@georgetown.edu]
Sent: Wednesday, May 23, 2007 5:15 PM
To: security-dev@xml.apache.org
Subject: Re: "Cannot resolve element with ID" Error
The system configuration versioning is limited by an application server
and is:
JDK 1.4.11
XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar
Pretty sure that version is too old to have the SAML 1.1 support
described. If you can't upgrade to a newer library version, then I
think your only options are:
1) validate the DOM against the SAML 1.1. schema before you attempt
signature verification
2) manually preprocess the DOM and mark the ID attributes before you
attempt signature verification.
Actually, another option you could try, maybe even better for you
situation, is to preprocess the DOM and manually register the ID
value-to-Element mapping in the IdResolver.
In org.apache.xml.security.utils.IdResolver, see
IdResolver#registerElementById(Element, Attr)
IdResolver#registerElementById(Element, String)
I just remembered that that is supported, but I have not tried it, YMMV.
--Brent
Re: "Cannot resolve element with ID" Error
Posted by Brent Putman <pu...@georgetown.edu>.
>>
>>
>> The system configuration versioning is limited by an application
>> server and is:
>>
>>
>>
>> JDK 1.4.11
>>
>> XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar
>>
>
>
> Pretty sure that version is too old to have the SAML 1.1 support
> described. If you can't upgrade to a newer library version, then I
> think your only options are:
>
> 1) validate the DOM against the SAML 1.1. schema before you attempt
> signature verification
>
> 2) manually preprocess the DOM and mark the ID attributes before you
> attempt signature verification.
Actually, another option you could try, maybe even better for you
situation, is to preprocess the DOM and manually register the ID
value-to-Element mapping in the IdResolver.
In org.apache.xml.security.utils.IdResolver, see
IdResolver#registerElementById(Element, Attr)
IdResolver#registerElementById(Element, String)
I just remembered that that is supported, but I have not tried it, YMMV.
--Brent
RE: "Cannot resolve element with ID" Error
Posted by Phillip Duba <ph...@philduba.com>.
Brent,
Thanks for your help. I am using Xerces and the application server is
ColdFusion MX 7. I know I have seen the version within ColdFusion
before; I want to say it is 2.4, but that might be wrong. Thanks,
Phil
-----Original Message-----
From: Brent Putman [mailto:putmanb@georgetown.edu]
Sent: Wednesday, May 23, 2007 5:07 PM
To: security-dev@xml.apache.org
Subject: Re: "Cannot resolve element with ID" Error
Phillip Duba wrote:
Hopefully someone can point me in the right direction to solve this
problem. I have a SAML 1.1 Assertion being verified, however, it fails
verification as I receive a "Cannot resolve element with ID ." error.
The issue arises, from what I can tell doing a Google search, is that
the SAML Assertion 1.1 schema has the AssertionID of type ID but no ID
attribute so the Reference lookup fails. Below is my logic for
verification:
The library's IdResolver has to be able to work, i.e. resolve the
References properly. It primarily uses Document#getElementById. And in
order for that to work, usually the Attr nodes have to be marked as DOM
ID attributes (at least Xerces works that way, maybe some parsers just
do a brute force traversal). That happens if you do schema validation.
So if you can validate, then that will solve it.
For non-validation use cases, the IdResolver also has some hardcoded
support for certain attribute names in certain namespaces, and and for
quite awhile (a year ago) has had support specifically for SAML 1.1 ID
attributes (AssertionID, ResponseID, RequestID). Although there was a
bug with the SAML 1.1 stuff and it was only fixed recently, in the
latest release (1.4.1).
The system configuration versioning is limited by an application server
and is:
JDK 1.4.11
XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar
Pretty sure that version is too old to have the SAML 1.1 support
described. If you can't upgrade to a newer library version, then I
think your only options are:
1) validate the DOM against the SAML 1.1. schema before you attempt
signature verification
2) manually preprocess the DOM and mark the ID attributes before you
attempt signature verification.
Most of the solutions I have found have focused on DOM3 capabilities
which I do not have access to or using an IdResolver with which I have
had no luck. Any help would be
If you don't have DOM 3, then solution 2 above won't work - AFAIK, you
have to use one of the Element#setId* methods, and I believe those are
all DOM 3.
So you can try schema validation, or find some other way to get
Document#getElementById to work correctly. You didn't mention what
parser, version, etc you are using, but I'd say that is going to be what
you have to solve.
--Brent
Re: "Cannot resolve element with ID" Error
Posted by Brent Putman <pu...@georgetown.edu>.
Phillip Duba wrote:
>
> Hopefully someone can point me in the right direction to solve this
> problem. I have a SAML 1.1 Assertion being verified, however, it fails
> verification as I receive a “Cannot resolve element with ID …” error.
> The issue arises, from what I can tell doing a Google search, is that
> the SAML Assertion 1.1 schema has the AssertionID of type ID but no ID
> attribute so the Reference lookup fails. Below is my logic for
> verification:
>
>
>
>
The library's IdResolver has to be able to work, i.e. resolve the
References properly. It primarily uses Document#getElementById. And in
order for that to work, usually the Attr nodes have to be marked as DOM
ID attributes (at least Xerces works that way, maybe some parsers just
do a brute force traversal). That happens if you do schema validation.
So if you can validate, then that will solve it.
For non-validation use cases, the IdResolver also has some hardcoded
support for certain attribute names in certain namespaces, and and for
quite awhile (a year ago) has had support specifically for SAML 1.1 ID
attributes (AssertionID, ResponseID, RequestID). Although there was a
bug with the SAML 1.1 stuff and it was only fixed recently, in the
latest release (1.4.1).
>
>
>
> The system configuration versioning is limited by an application
> server and is:
>
>
>
> JDK 1.4.11
>
> XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar
>
Pretty sure that version is too old to have the SAML 1.1 support
described. If you can't upgrade to a newer library version, then I
think your only options are:
1) validate the DOM against the SAML 1.1. schema before you attempt
signature verification
2) manually preprocess the DOM and mark the ID attributes before you
attempt signature verification.
>
>
> Most of the solutions I have found have focused on DOM3 capabilities
> which I do not have access to or using an IdResolver with which I have
> had no luck. Any help would be
>
If you don't have DOM 3, then solution 2 above won't work - AFAIK, you
have to use one of the Element#setId* methods, and I believe those are
all DOM 3.
So you can try schema validation, or find some other way to get
Document#getElementById to work correctly. You didn't mention what
parser, version, etc you are using, but I'd say that is going to be what
you have to solve.
--Brent