[jira] Updated: (WSFX-31) problem with xmlsec.jar version in cvs and opensaml signed SAML tokens

The following issue has been updated:

    Updater: David Keppler 
(mailto:dkeppler-AZamIotjMK3YtjvyW6yDsg@xxxxxxxxxxxxxxxx)
       Date: Wed, 18 Aug 2004 7:33 AM
    Comment:
axis.log file of the problem. Includes dump of the xml of the soap message that 
triggers the issue.
    Changes:
             Attachment changed to axis.log
    ---------------------------------------------------------------------
For a full history of the issue, see:

  http://issues.apache.org/jira/browse/WSFX-31?page=history

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/WSFX-31

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: WSFX-31
    Summary: problem with xmlsec.jar version in cvs and opensaml signed SAML 
tokens
       Type: Bug

     Status: Unassigned
   Priority: Major

    Project: WSFX
 Components: 
             WSS4J

   Assignee: 
   Reporter: David Keppler

    Created: Wed, 18 Aug 2004 7:29 AM
    Updated: Wed, 18 Aug 2004 7:33 AM
Environment: Tomcat 5.0.25
Apache Axis from wss4j cvs lib directory (as of 8/18/04)
All other jar files from wss4j cvs lib directory

Description:
There appears to be a bug in the version of the xmlsec library provided in the 
WSS4J cvs repository that manifests itself when WSS4J's SAML token 
functionality is used.

Trying to use a pre-signed SAML assertion obtained from an exterior source 
(what would be the typical usage scenario I imagine) via use of a custom 
SAMLIssuer class in conjunction with the SAMLTokenUnsigned action (because I 
don't want the client to sign the token but want to maintain the signature 
placed on the token by the token issuer) causes an unhandled exception to be 
thrown by the XML canonicalization algorithm called by the 
XMLUtils.outputDOM(doc, os, true) call near the end of WSDoAllReceiver.invoke().

Work-around:
Replace the xmlsec.jar from cvs with the v1.10 release of that library from 
http://xml.apache.org/security/
However, I am unaware as to possible issues with the v1.10 library which may 
have led to a cvs build version of the library to be included in wss4j instead.


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira