Skip to content

[SANTUARIO-576] Fix saml validation with saaj 1.4+ #453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
coheigea merged 2 commits into from
Mar 21, 2025
Merged

[SANTUARIO-576] Fix saml validation with saaj 1.4+ #453

coheigea merged 2 commits into from
Mar 21, 2025

Conversation

@RivalAUT
Copy link
Contributor

@RivalAUT RivalAUT commented Feb 24, 2025

When using SAAJ versions from 1.4 onwards, the signature element of the request was not removed due to type mismatch. This led to failed validations because the digest was wrongly calculated.
With this fix the excludeNode will be excluded even if the currentNode and excludeNode differ in type (e.g. com.sun.xml.messaging.saaj.soap.impl.ElementImpl vs. com.sun.org.apache.xerces.internal.dom.ElementNSImpl).

@RivalAUT
[SANTUARIO-576] Fix saml validation with saaj 1.4
e47448a 
Signature element was not removed due to type mismatch
coheigea
coheigea requested changes Mar 5, 2025
View reviewed changes
Copy link
Contributor

@coheigea coheigea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it work with just currentNode.isSameNode(excludeNode) ?

@RivalAUT
Copy link
Contributor Author

RivalAUT commented Mar 5, 2025

Sadly not, it does not work in my specific case with just currentNode.isSameNode(excludeNode)
It is needed to check both ways.

@coheigea
Copy link
Contributor

coheigea commented Mar 5, 2025

It's a bit strange - do you have a test case where isSameNode only works one way?

@RivalAUT
Copy link
Contributor Author

RivalAUT commented Mar 5, 2025

I sent a test case per mail on 13th January.
It happens because currentNode is of type com.sun.org.apache.xerces.internal.dom.ElementNSImpl and excludeNode is of type com.sun.xml.messaging.saaj.soap.impl.ElementImpl, where only checking from com.sun.xml.messaging.saaj.soap.impl.ElementImpl returns the correct result. As both currentNode and excludeNode can be from this class (in my case it is excludeNode, but in the original Jira Ticket it was the other way around), both have to be checked.

@coheigea coheigea requested a review from seanjmullan March 5, 2025 11:42
seanjmullan
seanjmullan reviewed Mar 10, 2025
View reviewed changes
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look ok, although it may be more optimal to first check if the references are equal and if not then fallback to calling isSameNode. WDYT?

@RivalAUT
Copy link
Contributor Author

RivalAUT commented Mar 21, 2025

I changed the code to check the references first - should be better like this, i agree.

@coheigea coheigea merged commit 0791fc5 into apache:main Mar 21, 2025
3 checks passed
coheigea pushed a commit that referenced this pull request Mar 21, 2025
@RivalAUT @coheigea
[SANTUARIO-576] Fix saml validation with saaj 1.4+ (#453)
5488262 
* [SANTUARIO-576] Fix saml validation with saaj 1.4

Signature element was not removed due to type mismatch

* [SANTUARIO-576] Check for reference equality first

---------

Co-authored-by: Lukas Fabian <lukas.fabian@svc.co.at>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seanjmullan seanjmullan seanjmullan left review comments

@coheigea coheigea coheigea approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RivalAUT @coheigea @seanjmullan