[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-dev
Subject: Fwd: OpenSaml: BinarySecurityTokenMarshaller generates ValueType as EncodingType
From: Patrick Peer <p.peer () synedra ! com>
Date: 2020-09-03 8:27:48
Message-ID: CA+_OtRLPWeUsbMF8ETQtEOV0wMn-9Z-wsyRZ2QDehtSYhvcBpQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Thu, Sep 3, 2020 at 2:03 AM Brent Putman <putmanb@georgetown.edu> wrote:
>
> On 9/2/20 5:18 PM, Patrick Peer wrote:
>
> Hi Brent,
>
> I am tasked to assemble a security token renew request, with signature and
> the whole shebang. To do so, I utilize the Java implementation of OpenSaml.
> I ran into a problem and it seems easier to contact you directly instead of
> jumping through the hoops necessary to open a Jira issue.
>
>
> First, please do not email the developers directly. Use the dev list
> (copied on this reply): https://www.shibboleth.net/community/
>
Will do. I briefly searched for a list like this. Not thoroughly enough it
seems :).
> Second, if you think you have found a bug and want it addressed, please do
> open a Jira issue. That is the way that issues get addressed.
>
The process necessary to get permission to post a Jira issue does not seem
to be straight forward or quick. I will go through it eventually, but right
now my focus is on developing a product.
>
>
> The BinarySecurityToken is required to have the EncodingType and ValueType
> attributes. However, the ValueType is never marshalled. Digging a bit, I
> found that the BinarySecurityTokenMarshaller uses the String "EncodingType"
> for the ValueType I provide. Digging even deeper I could track this down to
> commit d53f2af26987075774350ccb8d60db9110247638, which seems to split up
> the code for the two Types. Before, both were rendered
> within BinarySecurityTokenMarshaller with their respective correct names.
>
>
> This was contributed code from someone else over a decade ago and has not
> been thoroughly tested.
>
I wondered, too, why this did not pop up earlier.
>
>
> I'd be grateful for any insights, as It seems I will need to find a
> workaround to meet my deadlines. Currently I think I will just alter
> the DOM before generating the signature. I would prefer to not compile and
> distribute the openSaml library myself.
>
>
> Seems like a simple typo type of bug in the marshaller. We can fix it but
> I can't currently guarantee when we will do another release. You didn't
> mention whether you are using 3.x or 4.x. It's quite likely we will not be
> doing another release of 3.x at all.
>
I agree. The fix should be easy enough. The version of OpenSaml where the
fix will be included is not that important to me. We are not shy when it
comes to upgrading libraries, and a bugfix is a good reason to do so a
little earlier. Hearing from you, that 3.x is not under active development
anymore is an even better reason.
Meanwhile I found an easy solution: `token.setValueType(...);`=>
`token.getUnknownAttributes().put()`, so no hurry ;). Actually, I
anticipated that I'd need a workaround to finish my current work anyway,
and the biggest motivation to reach out to you (aside from finding a good
workaround in the first place) was that I thought you want to be aware of
the issue.
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep \
3, 2020 at 2:03 AM Brent Putman <<a href="mailto:putmanb@georgetown.edu" \
target="_blank">putmanb@georgetown.edu</a>> wrote:<br></div><div dir="ltr"><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><br>
</p>
<div>On 9/2/20 5:18 PM, Patrick Peer wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Brent,
<div><br>
</div>
<div>I am tasked to assemble a security token renew request,
with signature and the whole shebang. To do so, I utilize the
Java implementation of OpenSaml. I ran into a problem and it
seems easier to contact you directly instead of jumping
through the hoops necessary to open a Jira issue.</div>
</div>
</blockquote>
<p><br>
</p>
<p>First, please do not email the developers directly. Use the dev
list (copied on this reply): <a href="https://www.shibboleth.net/community/" \
target="_blank">https://www.shibboleth.net/community/</a></p></div></blockquote><div>Will \
do. I briefly searched for a list like this. Not thoroughly enough it seems \
:).</div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div> <p>Second, if \
you think you have found a bug and want it addressed, please do open a Jira issue. \
That is the way that issues get addressed.<br></p></div></blockquote><div>The \
process necessary to get permission to post a Jira issue does not seem to be straight \
forward or quick. I will go through it eventually, but right now my focus is on \
developing a product.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p> </p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>The BinarySecurityToken is required to have the
EncodingType and ValueType attributes. However, the ValueType
is never marshalled. Digging a bit, I found that
the BinarySecurityTokenMarshaller uses the String
"EncodingType" for the ValueType I provide. Digging even
deeper I could track this down to
commit d53f2af26987075774350ccb8d60db9110247638, which seems
to split up the code for the two Types. Before, both were
rendered within BinarySecurityTokenMarshaller with their
respective correct names.</div>
</div>
</blockquote>
<p><br>
</p>
<p>This was contributed code from someone else over a decade ago and
has not been thoroughly tested. <br></p></div></blockquote><div>I wondered, \
too, why this did not pop up earlier. </div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div><p> </p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I'd be grateful for any insights, as It seems I will need
to find a workaround to meet my deadlines. Currently I think I
will just alter the DOM before generating the signature. I
would prefer to not compile and distribute the openSaml
library myself.</div>
<br>
</div>
</blockquote>
<p><br>
</p>
<p>Seems like a simple typo type of bug in the marshaller. We can
fix it but I can't currently guarantee when we will do another
release. You didn't mention whether you are using 3.x or 4.x.
It's quite likely we will not be doing another release of 3.x at
all.<br></p></div></blockquote><div>I agree. The fix should be easy enough. The \
version of OpenSaml where the fix will be included is not that important to me. We \
are not shy when it comes to upgrading libraries, and a bugfix is a good reason to do \
so a little earlier. Hearing from you, that 3.x is not under active development \
anymore is an even better reason.</div><div>Meanwhile I found an easy solution: \
`token.setValueType(...);`=> `token.getUnknownAttributes().put()`, so no hurry ;). \
Actually, I anticipated that I'd need a workaround to finish my current work \
anyway, and the biggest motivation to reach out to you (aside from finding a good \
workaround in the first place) was that I thought you want to be aware of the \
issue.</div><div><br></div></div></div> </div></div>
--
To unsubscribe from this list send an email to dev-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic