0

This is my xml document. I want to sign only the userID part using xml signature. I am using xpath transformation to select that particular element.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0" IssueInstant="2012-05-22T13:40:52:390" ProtocolBinding="urn:oasis:na
mes:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="localhos
t:8080/consumer.jsp">
<UserID>
   xyz
</UserID>
<testing>
   text
</testing>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   http://localhost:8080/saml/SProvider.jsp
</saml:Issuer>
</samlp:AuthnRequest>


I am using the following code to add the transformations : 

transformList.add(exc14nTransform);
 transformList.add(fac.newTransform(Transform.XPATH, new XPathFilterParameterSpec("samlp:AuthnRequest/UserID xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"")));


But I get the following :

Original Exception was javax.xml.transform.TransformerException: Extra illegal t
okens: 'xmlns', ':', 'samlp', '=', '"urn:oasis:names:tc:SAML:2.0:protocol"'


So, I tried removing the xmlns part. 

transformList.add(fac.newTransform(Transform.XPATH, new XPathFilterParameterSpec("samlp:AuthnRequest/UserID")));


But it signs the whole document and gives the following message : 

com.sun.org.apache.xml.internal.security.utils.CachedXPa
thFuncHereAPI fixupFunctionTable
INFO: Registering Here function


What is the problem?
EDIT
As @Jörn Horstmann said the message is just a log or something like that. Now the problem is that even after giving the xpath query the whole document is signed instead of just the UserID. I confirmed this by changing the value of <testing>element after signing the document. The result is that the document does not get validated(If it signed only the UserID part, then any changes made to <testing> should result in a valid signature .)

Ashwin
  • 12,691
  • 31
  • 118
  • 190

1 Answers1

3

This is not a valid xpath expression, there is no way to declare namespace prefixe inside the expression.

samlp:AuthnRequest/UserID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

XPathFilterParameterSpec does have another constructor that allows to specify a mapping of namespace prefixes, you could try the following expression:

new XPathFilterParameterSpec("samlp:AuthnRequest/UserID",
    Collections.singletonMap("samlp", "urn:oasis:names:tc:SAML:2.0:protocol"))

Edit:

The message does not seem to be an error, see line 426 here, its log level should probably be lower than INFO though.

I also had a look at the description of xpath filtering:

The XPath expression appearing in the XPath parameter is evaluated once for each node in the input node-set. The result is converted to a boolean. If the boolean is true, then the node is included in the output node-set. If the boolean is false, then the node is omitted from the output node-set.

So the correct xpath expression to only include the UserID in the signature would be self::UserID. But don't ask me if this actually makes sense for a xml signature. The example in the specification seems to use a xpath expression to include everything except the signature element itself:

not(ancestor-or-self::dsig:Signature)

Edit 2:

The correct expression is actually ancestor-or-self::UserID since the filter also has to include the text child nodes of the UserID node.

Jörn Horstmann
  • 33,639
  • 11
  • 75
  • 118
  • Thanks for responding. I tried it. The illegal token error has gone. But now after signing the document, I changed the userID value and then tried to validate this changed document. It gets perfectly validated(it should not happen). And I am still gettin the message : com.sun.org.apache.xml.internal.security.utils.CachedXPa thFuncHereAPI fixupFunctionTable INFO: Registering Here function – Ashwin May 22 '12 at 11:29
  • I tried "samlp:AuthnRequest/self::UserID" and "samlp:AuthnRequest//self::UserID". Still it signs the whole document. – Ashwin May 22 '12 at 12:48
  • Can you also try `ancestor-or-self::UserID` (without preceding AuthnRequest)? Otherwise it would be useful to post your complete code for signing and verification. – Jörn Horstmann May 23 '12 at 08:16
  • thanks a lot!! it works now. what was the problem with the previous queries? – Ashwin May 23 '12 at 08:23
  • The xpath expression is tested against every node in the document, your previous expression would have matched the node having a `samlp:AuthnRequest` as a child, while `ancestor-or-self::UserID` matches if the current node is `UserID` and also for all its text child nodes. – Jörn Horstmann May 23 '12 at 08:34
  • I have one more problem. I want to use xslt tranformation as the last transformation. the xslt tranformation is for rendering purpose. How to add xslt tranformation after xpath transformation in java? Do you want me to post a seperate question for this? – Ashwin May 23 '12 at 08:37
  • I think that would be best as a separate question. – Jörn Horstmann May 23 '12 at 08:42