anyone filtering based on EntityAttributes in metadata ?

Ian Young ian at iay.org.uk
Sat Sep 3 12:07:35 BST 2011 

Steven said:

> xmlsectool is successfully validating my test metadata file. So yes, I'm 
> resonably confident that all the namespaces were correctly defined.

Tom said:

> I know that includes extension schema and perhaps it includes prefixes as well. In fact, I don't see how xmlsectool could know if the prefix is correct without the schema, so there ya go.

For reference:

The prefix used for a namespace is up to the author of the document; there's no "correct" or "incorrect" prefix for any given namespace.  Different documents can use different prefixes for the same namespace, and a single document can use multiple prefixes for a single namespace.  Schemas are associated with namespaces, not prefixes.

xmlsectool will complain:

* if a prefix is used without being defined

* if it has access to the schema for a namespace, and the document violates the schema constraints

That's really all it can do.  So, there are quite a lot of potential mistakes that it's impossible for xmlsectool to detect.  For example, if you have a typo in the definition of a prefix so that it is actually defined as a namespace for which no schema exists, then xmlsectool can't apply the schema to that namespace.  When I'm validating metadata, I catch this one by having a list of namespaces that I'm expecting and flag up namespaces I'm not expecting to see.  Turns out that people mistype those urn:blahblah things quite often.

I did pull a fresh copy of your test metadata file and run it through my system.  The only thing it threw up that might be relevant is  that you're using a QName of "xs:string" in your entity attribute definition, with the xs prefix declared on the document element.  That's not wrong, but I've recently noticed a bug in some other code that prevents namespaces being propagated through in this kind of context, so it might be worth moving the xmlns:xs declaration inwards to, say, the EntityAttributes element to see whether that changes the behaviour.

That would definitely be a bug, I think, but as Scott says: any NPE means a bug, we just have to track it down.

	-- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3725 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20110903/7ee2bd0f/attachment.bin

More information about the users mailing list