'Re: OpenSaml: BinarySecurityTokenMarshaller generates ValueType as EncodingType'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-dev
Subject:    Re: OpenSaml: BinarySecurityTokenMarshaller generates ValueType as EncodingType
From:       Brent Putman <putmanb () georgetown ! edu>
Date:       2020-09-03 0:03:41
Message-ID: 87e77feb-df55-abc1-d93d-e19593aa6f7e () georgetown ! edu
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On 9/2/20 5:18 PM, Patrick Peer wrote:
> Hi Brent,
>
> I am tasked to assemble a security token renew request, with 
> signature and the whole shebang. To do so, I utilize the Java 
> implementation of OpenSaml. I ran into a problem and it seems easier 
> to contact you directly instead of jumping through the hoops 
> necessary to open a Jira issue.


First, please do not email the developers directly.  Use the dev list 
(copied on this reply): https://www.shibboleth.net/community/

Second, if you think you have found a bug and want it addressed, please 
do open a Jira issue.  That is the way that issues get addressed.


>
> The BinarySecurityToken is required to have the EncodingType and 
> ValueType attributes. However, the ValueType is never marshalled. 
> Digging a bit, I found that the BinarySecurityTokenMarshaller uses 
> the String "EncodingType" for the ValueType I provide. Digging even 
> deeper I could track this down to 
> commit d53f2af26987075774350ccb8d60db9110247638, which seems to split 
> up the code for the two Types. Before, both were rendered 
> within BinarySecurityTokenMarshaller with their respective correct names.


This was contributed code from someone else over a decade ago and has 
not been thoroughly tested.


>
> I'd be grateful for any insights, as It seems I will need to find a 
> workaround to meet my deadlines. Currently I think I will just alter 
> the DOM before generating the signature. I would prefer to not 
> compile and distribute the openSaml library myself.
>

Seems like a simple typo type of bug in the marshaller. We can fix it 
but I can't currently guarantee when we will do another release. You 
didn't mention whether you are using 3.x or 4.x. It's quite likely we 
will not be doing another release of 3.x at all.


[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 9/2/20 5:18 PM, Patrick Peer wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CA+_OtR+_yctVkC1J2a2Phn_7YDuVmmrOtsma0Xq6Ynh0=8O6ZQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Hi Brent,
        <div><br>
        </div>
        <div>I am tasked to assemble a security token renew request,
          with signature and the whole shebang. To do so, I utilize the
          Java implementation of OpenSaml. I ran into a problem and it
          seems easier to contact you directly instead of jumping
          through the hoops necessary to open a Jira issue.</div>
      </div>
    </blockquote>
    <p><br>
    </p>
    <p>First, please do not email the developers directly.  Use the dev
      list (copied on this reply): <a class="moz-txt-link-freetext" \
href="https://www.shibboleth.net/community/">https://www.shibboleth.net/community/</a></p>
  <p>Second, if you think you have found a bug and want it addressed,
      please do open a Jira issue.  That is the way that issues get
      addressed.<br>
    </p>
    <p><br>
    </p>
    <blockquote type="cite"
cite="mid:CA+_OtR+_yctVkC1J2a2Phn_7YDuVmmrOtsma0Xq6Ynh0=8O6ZQ@mail.gmail.com">
      <div dir="ltr">
        <div><br>
        </div>
        <div>The BinarySecurityToken is required to have the
          EncodingType and ValueType attributes. However, the ValueType
          is never marshalled. Digging a bit, I found that
          the BinarySecurityTokenMarshaller uses the String
          "EncodingType" for the ValueType I provide. Digging even
          deeper I could track this down to
          commit d53f2af26987075774350ccb8d60db9110247638, which seems
          to split up the code for the two Types. Before, both were
          rendered within BinarySecurityTokenMarshaller with their
          respective correct names.</div>
      </div>
    </blockquote>
    <p><br>
    </p>
    <p>This was contributed code from someone else over a decade ago and
      has not been thoroughly tested.  <br>
    </p>
    <p><br>
    </p>
    <blockquote type="cite"
cite="mid:CA+_OtR+_yctVkC1J2a2Phn_7YDuVmmrOtsma0Xq6Ynh0=8O6ZQ@mail.gmail.com">
      <div dir="ltr">
        <div><br>
        </div>
        <div>I'd be grateful for any insights, as It seems I will need
          to find a workaround to meet my deadlines. Currently I think I
          will just alter the DOM before generating the signature. I
          would prefer to not compile and distribute the openSaml
          library myself.</div>
        <br>
      </div>
    </blockquote>
    <p><br>
    </p>
    <p>Seems like a simple typo type of bug in the marshaller. We can
      fix it but I can't currently guarantee when we will do another
      release. You didn't mention whether you are using 3.x or 4.x. 
      It's quite likely we will not be doing another release of 3.x at
      all.<br>
    </p>
  </body>
</html>



-- 
To unsubscribe from this list send an email to dev-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic