You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2007/03/09 21:42:40 UTC

DO NOT REPLY [Bug 41805] New: - Resolution of SAML 1.x ID attributes, incorrect namespace

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41805>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41805

           Summary: Resolution of SAML 1.x ID attributes, incorrect
                    namespace
           Product: Security
           Version: unspecified
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: putmanb@georgetown.edu


In org.apache.xml.security.utils.IdResolver, there is support for brute force
resolution of certain hardcoded namespace-qualified ID attributes when the DOM
does not otherwise know about the ID-ness of the attributes (e.g. not schema
validated).

For the SAML 1.x ID attribute support, these attributes are considered:
RequestID
ResponseID
AssertionID

The bug is that the code currently treats all of these as existing in the SAML
1.x assertion namespace (URI urn:oasis:names:tc:SAML:1.0:assertion).  

RequestID and ResponseID however live in the SAML 1.x protocol namespace (URI
urn:oasis:names:tc:SAML:1.0:protocol).

The IdResolver should be modified to include this namespace URI in the array at
line 164, and the code at line 266 should be updated to differentiate the 2
namespaces.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

RE: DO NOT REPLY [Bug 41805] New: - Resolution of SAML 1.x ID attributes, incorrect namespace

Posted by Scott Cantor <ca...@osu.edu>.

> BTW, do you have some sample signed SAML messages that I can add to our
> test suite to test that it finds the Ids correctly?

There are a few here:

http://svn.middleware.georgetown.edu/view/trunk/samltest/data/signature/?roo
t=cpp-opensaml2

-- Scott

Re: DO NOT REPLY [Bug 41805] New: - Resolution of SAML 1.x ID attributes, incorrect namespace

Posted by Brent Putman <pu...@georgetown.edu>.


Sean Mullan wrote:
> Oops, you're right I missed that. I have updated it to use the length of
> the namespaces array, please check it.
>   
>


I tested it.  It seems to correctly resolve all three SAML 1.x ID types
now.  Thanks for fixing.

--Brent

Re: DO NOT REPLY [Bug 41805] New: - Resolution of SAML 1.x ID attributes, incorrect namespace

Posted by Sean Mullan <Se...@Sun.COM>.

Oops, you're right I missed that. I have updated it to use the length of
the namespaces array, please check it.

BTW, do you have some sample signed SAML messages that I can add to our
test suite to test that it finds the Ids correctly?

--Sean

Brent Putman wrote:
>> The IdResolver should be modified to include this namespace URI in the array at
>> line 164, and the code at line 266 should be updated to differentiate the 2
>> namespaces.
>>
>>   
> 
> Thanks for looking at this.   With the above, I didn't mean to imply
> those line references were the *only* things that needed to be changed,
> however.  I think (unfortunately) there are some hardcoded assumptions
> about the length of that 'namespaces' array in the code between those
> two line references.  It's a bit hard for me to grok what the code is
> trying to do, it's a bit convoluted, but:  Isn't the idea essentially
> that after the call to getEl() in getElementBySearching() the 'Element
> [] els' array contains the resolved element in the slot (index) that
> corresponds to the same index in the namespace array for the namespace
> from which the ID attribute came?  And the 'els' array is one slot
> larger than the namespaces array, so that the last slot just means "no
> namespace" (happens if the attribute local name is just "ID" , or  "Id"
> or "id",  with some exceptions for  namespace-qualified attribs that use
> those).
> 
> If so, then the code is now a little off - the array size references
> need to be incremented, or even better, changed to be relative to the
> length of the namespaces array (actually visible as static List
> 'names').  Or something along those lines.
> 
> See for example:
> 
> Line 176          Element []els=new Element[6];
> 
> Line 230         elementIndex=(elementIndex<0) ? 5 : elementIndex;
> 
> Line 236             index=(index<0) ? 5 : index;
> 
> Line 250                         index=5;
> 
> Line 256                     index=5;
> 
> 
> The namespaces array did have length 5, now it has length 6  - so the
> "no namespace" slot in the 'els' array (which should now have length 7)
> would now be 6 , not 5.  Again, it would seem to me to be better to make
> this all relative to the size of the namespaces array in the first
> place, not absolute.
> 
> Those are just the things I see.  I'm not completely clear on the search
> algorithm, so don't take my word for it.
> 
> Thanks,
> Brent

Re: DO NOT REPLY [Bug 41805] New: - Resolution of SAML 1.x ID attributes, incorrect namespace

Posted by Brent Putman <pu...@georgetown.edu>.

>
> The IdResolver should be modified to include this namespace URI in the array at
> line 164, and the code at line 266 should be updated to differentiate the 2
> namespaces.
>
>   

Thanks for looking at this.   With the above, I didn't mean to imply
those line references were the *only* things that needed to be changed,
however.  I think (unfortunately) there are some hardcoded assumptions
about the length of that 'namespaces' array in the code between those
two line references.  It's a bit hard for me to grok what the code is
trying to do, it's a bit convoluted, but:  Isn't the idea essentially
that after the call to getEl() in getElementBySearching() the 'Element
[] els' array contains the resolved element in the slot (index) that
corresponds to the same index in the namespace array for the namespace
from which the ID attribute came?  And the 'els' array is one slot
larger than the namespaces array, so that the last slot just means "no
namespace" (happens if the attribute local name is just "ID" , or  "Id"
or "id",  with some exceptions for  namespace-qualified attribs that use
those).

If so, then the code is now a little off - the array size references
need to be incremented, or even better, changed to be relative to the
length of the namespaces array (actually visible as static List
'names').  Or something along those lines.

See for example:

Line 176          Element []els=new Element[6];

Line 230         elementIndex=(elementIndex<0) ? 5 : elementIndex;

Line 236             index=(index<0) ? 5 : index;

Line 250                         index=5;

Line 256                     index=5;


The namespaces array did have length 5, now it has length 6  - so the
"no namespace" slot in the 'els' array (which should now have length 7)
would now be 6 , not 5.  Again, it would seem to me to be better to make
this all relative to the size of the namespaces array in the first
place, not absolute.

Those are just the things I see.  I'm not completely clear on the search
algorithm, so don't take my word for it.

Thanks,
Brent

DO NOT REPLY [Bug 41805] - Resolution of SAML 1.x ID attributes, incorrect namespace

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41805>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41805


sean.mullan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From sean.mullan@sun.com  2007-03-14 07:54 -------
Fixed. Thanks for suggested fix.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

DO NOT REPLY [Bug 41805] - Resolution of SAML 1.x ID attributes, incorrect namespace

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41805>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41805


sean.mullan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




------- Additional Comments From sean.mullan@sun.com  2007-09-19 12:31 -------
Closing old bugs. Fixed in 1.4.1

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.