Santuario
  1. Santuario
  2. SANTUARIO-312

Cannot resolve element with ID error when signing SAML Assertion element with ID attribute

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Not a Problem
    • Affects Version/s: Java 1.5.1
    • Fix Version/s: None
    • Component/s: None
    • Security Level: Public (Public issues, viewable by everyone)
    • Labels:
      None

      Description

      When trying to sign a SAML 2.0 Assertion XML element using the Apache XML Security provider (org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI), the below error is thrown and operation fails. This is seen in xmlsec 1.5.1 (java).

      However, using this provider (which is part of Java 6 and also was part of xmlsec 1.4.5) - org.jcp.xml.dsig.internal.dom.XMLDSigRI does not result in any error.

      Please see attached test code to repro the problem.

      ------- Unit test output ----------
      XMLSignatureFactory class = org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory

      javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID ID_b528ce76-71e5-4012-aabb-daa952e14603
      at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:419)
      at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:347)
      at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:471)
      at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:370)
      at example.xmlseclib.TestSignAssertion.testSign(TestSignAssertion.java:117)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
      at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
      at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
      at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
      at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
      at org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
      at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
      at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
      at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
      at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
      at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
      at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
      at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
      at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
      at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
      at org.junit.runner.JUnitCore.run(JUnitCore.java:157)
      at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:76)
      at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:182)
      at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:62)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
      Caused by: javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID ID_b528ce76-71e5-4012-aabb-daa952e14603
      at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:122)
      at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:413)
      ... 32 more
      Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID ID_b528ce76-71e5-4012-aabb-daa952e14603
      at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:86)
      at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:279)
      at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:115)
      ... 33 more
      javax.xml.crypto.URIReferenceException: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID ID_b528ce76-71e5-4012-aabb-daa952e14603
      at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:122)
      at org.apache.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:413)
      at org.apache.jcp.xml.dsig.internal.dom.DOMReference.digest(DOMReference.java:347)
      at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.digestReference(DOMXMLSignature.java:471)
      at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:370)
      at example.xmlseclib.TestSignAssertion.testSign(TestSignAssertion.java:117)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
      at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
      at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
      at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
      at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
      at org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
      at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
      at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
      at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
      at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
      at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
      at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
      at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
      at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
      at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
      at org.junit.runner.JUnitCore.run(JUnitCore.java:157)
      at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:76)
      at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:182)
      at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:62)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
      Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID ID_b528ce76-71e5-4012-aabb-daa952e14603
      at org.apache.xml.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:86)
      at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:279)
      at org.apache.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:115)
      ... 33 more

      Process finished with exit code 255

      1. TestSignAssertion.java
        5 kB
        Murali Gunasekaran
      2. client.jks
        6 kB
        Murali Gunasekaran
      3. assertion.xml
        2 kB
        Murali Gunasekaran

        Activity

        Hide
        Scott Cantor added a comment -

        More than likely this is your bug, not Santuario's. I believe the 1.4->1.5 switch is when Santuario was fixed to stop assuming IDness based on attribute names. Your SAML code is responsible for establishing the IDness of the ID attribute in the DOM. If it's not doing that, then you can't count on something else doing it for you unless you use a validating parser and the schema(s).

        You can also, I believe, supply your own IDResolver component.

        Show
        Scott Cantor added a comment - More than likely this is your bug, not Santuario's. I believe the 1.4->1.5 switch is when Santuario was fixed to stop assuming IDness based on attribute names. Your SAML code is responsible for establishing the IDness of the ID attribute in the DOM. If it's not doing that, then you can't count on something else doing it for you unless you use a validating parser and the schema(s). You can also, I believe, supply your own IDResolver component.
        Hide
        Murali Gunasekaran added a comment -

        Thanks, thats what I figured as the "ID" attribute in the Assertion need not be interpreted as an xml id by Santuario, even though thats how it was working.

        Its just that the sudden change in the behavior was confusing (depending on the XMLSignatureFactory instance that gets picked up from the classpath you can get different behavior (i.e. between what is included in Java 6 internally and xmlsec 1.5.x).

        For e.g. I ran into this when I upgraded my wss4j lib from 1.6.3 to 1.6.5 (which seemed to upgrade the xmlsec lib from 1.4.5 to 1.5.1) and suddenly working code broke).

        Anyway, for others who encounter this, I resolved this by explicitly setting the "ID" attribute as an element id attribute like this:

        Element rootEl = doc.getDocumentElement();
        rootEl.setIdAttribute("ID", true);

        I'm marking this issue as resolved. Thanks

        Show
        Murali Gunasekaran added a comment - Thanks, thats what I figured as the "ID" attribute in the Assertion need not be interpreted as an xml id by Santuario, even though thats how it was working. Its just that the sudden change in the behavior was confusing (depending on the XMLSignatureFactory instance that gets picked up from the classpath you can get different behavior (i.e. between what is included in Java 6 internally and xmlsec 1.5.x). For e.g. I ran into this when I upgraded my wss4j lib from 1.6.3 to 1.6.5 (which seemed to upgrade the xmlsec lib from 1.4.5 to 1.5.1) and suddenly working code broke). Anyway, for others who encounter this, I resolved this by explicitly setting the "ID" attribute as an element id attribute like this: Element rootEl = doc.getDocumentElement(); rootEl.setIdAttribute("ID", true); I'm marking this issue as resolved. Thanks
        Hide
        Scott Cantor added a comment -

        Just a tip, you shouldn't use DOM1 calls like that. You need to use setIdAttributeNS and should never mix non-NS DOM calls in code that is namespace aware.

        Show
        Scott Cantor added a comment - Just a tip, you shouldn't use DOM1 calls like that. You need to use setIdAttributeNS and should never mix non-NS DOM calls in code that is namespace aware.

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Murali Gunasekaran
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development