Bug 6445 – gridshib-saml-issuer --infile creates wrong Advice

Bug 6445 - gridshib-saml-issuer --infile creates wrong Advice

Summary:

gridshib-saml-issuer --infile creates wrong Advice

Status:	NEW

Product:	GridShib
Component:	SAML/Binding Tools
Version:	0.5
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	beta
Assigned To:	Tom Scavo

URL:
Keywords:

Depends on:
Blocks:	6572 6641
	Show dependency tree / graph

Reported:	2008-10-09 03:05 by Benjamin Henne
Modified:	2009-02-03 15:20 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Benjamin Henne 2008-10-09 03:05:04

If one inserts xml into Advice element of generated attribute assertion using
the --infile option of gridshib-saml-issuer, the special characters < > ... are
wrongly replaced with the xml entity references &lt; &gt; .... --infile
specifies a file containing xml to be inserted and hence there must not be any
special character replacement.

Example shown at
http://www.globus.org/mail_archive/gridshib-user/2008/10/msg00005.html

Second, --infile always puts the input of the file into an AssertionIDReference
element. I think this should be omitted, because not only this, but also
Assertion elements or elements from other namespaces with lax schema validation
can be inserted into Advice as described in 2.3.2.2 of [SAMLCore1.0] or later.
Maybe this is the reason for the first issue?

I would propose removing AssertionIDReference and the character replacing.

------- Comment #1 From Tom Scavo 2009-02-03 15:20:45 -------

(In reply to comment #0)
> 
> Assertion elements or elements from other namespaces with lax schema validation
> can be inserted into Advice as described in 2.3.2.2 of [SAMLCore1.0] or later.
> Maybe this is the reason for the first issue?

Yes, this is precisely the cause of the bug.  OpenSAML 1.1 (on which our
so-called Globus SAML Library is based) parses Advice as follows:

if (advice != null) {
  for (Iterator i = advice.iterator(); i.hasNext(); ) {
    Object obj=i.next();
    if (obj instanceof String && ((String)obj).length() > 0)
      this.advice.add(obj);
    else if (obj instanceof SAMLAssertion)
      this.advice.add(((SAMLAssertion)obj).setParent(this));
    else if (obj instanceof Element && ((Element)obj).getParentNode()==null &&
             !((Element)obj).getNamespaceURI().equals(XML.SAML_NS))
      this.advice.add(obj);
    else
      throw new IllegalArgumentException("SAMLAssertion() can only process
advice Strings, SAMLAssertions, or DOM elements from a non-saml namespace");
  }
}

This implies that the CLI must distinguish between arbitrary strings and DOM
elements, which currently it does not.