Ok great. > I propose to add a tree search when > this switch is enabled, which will check that each Reference URI that > is a fragment or XPointer reference is unique in the document.
I have a prototype of this working and I've run into a few issues I'd like some feedback on. The basic idea is a tree search when secure validation is enabled, that checks that no two Elements in the Document have the same ID attribute that was registered using the DOM APIs, e.g. "if (attr.isId() && id.equals(attr.getValue()))". The problem is that it does not take account of IDs in other namespaces, for example xmlns:wsu. If the user wants to support IDs in other namespaces then he/she has to do their own tree-search. IMO we should also be checking the wsu namespace, as well as the SAML AssertionID/ID attributes, by default, as this gives better default protection against wrapping attacks. Note that we don't actually support retrieving References by this search, just checking for duplicates. So it's still up to the user to find the elements that are signed so that they can be retrieved via Document.getElementById(). Opinions? Colm. On Fri, Jan 6, 2012 at 7:22 PM, Cantor, Scott <[email protected]> wrote: > On 1/6/12 1:16 PM, "Colm O hEigeartaigh" <[email protected]> wrote: >> >>Does this sound like a reasonable course of action? > > Yes. > > -- Scott > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
