Xpath转换在java中不起作用 [英] Xpath transformation not working in java
问题描述
这是我的xml文档。我想使用xml签名仅签署userID部分。我正在使用xpath转换来选择该特定元素。
This is my xml document. I want to sign only the userID part using xml signature. I am using xpath transformation to select that particular element.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0" IssueInstant="2012-05-22T13:40:52:390" ProtocolBinding="urn:oasis:na
mes:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="localhos
t:8080/consumer.jsp">
<UserID>
xyz
</UserID>
<testing>
text
</testing>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://localhost:8080/saml/SProvider.jsp
</saml:Issuer>
</samlp:AuthnRequest>
我使用以下代码添加转换:
I am using the following code to add the transformations :
transformList.add(exc14nTransform);
transformList.add(fac.newTransform(Transform.XPATH, new XPathFilterParameterSpec("samlp:AuthnRequest/UserID xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"")));
但我得到以下内容:
But I get the following :
Original Exception was javax.xml.transform.TransformerException: Extra illegal t
okens: 'xmlns', ':', 'samlp', '=', '"urn:oasis:names:tc:SAML:2.0:protocol"'
所以,我尝试删除xmlns部分。
So, I tried removing the xmlns part.
transformList.add(fac.newTransform(Transform.XPATH, new XPathFilterParameterSpec("samlp:AuthnRequest/UserID")));
但它会签署整个文件并提供以下信息:
But it signs the whole document and gives the following message :
com.sun.org.apache.xml.internal.security.utils.CachedXPa
thFuncHereAPI fixupFunctionTable
INFO: Registering Here function
有什么问题?
编辑
正如@JörnHorstmann所说,消息只是一个日志或类似的东西。现在的问题是,即使在给出xpath查询之后,整个文档也会被签名而不仅仅是UserID。我通过在签署文档后更改< testing> 元素的值来确认这一点。结果是文档没有得到验证(如果它只签署了UserID部分,那么对< testing> 所做的任何更改都应该产生有效的签名。)
What is the problem?
EDIT
As @Jörn Horstmann said the message is just a log or something like that. Now the problem is that even after giving the xpath query the whole document is signed instead of just the UserID. I confirmed this by changing the value of <testing>element after signing the document. The result is that the document does not get validated(If it signed only the UserID part, then any changes made to <testing> should result in a valid signature .)
推荐答案
这不是一个有效的xpath表达式,没有办法在表达式中声明名称空间prefixe。
This is not a valid xpath expression, there is no way to declare namespace prefixe inside the expression.
samlp:AuthnRequest/UserID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
XPathFilterParameterSpec 确实有另一个构造函数,它允许指定名称空间前缀的映射,您可以尝试以下表达式:
XPathFilterParameterSpec does have another constructor that allows to specify a mapping of namespace prefixes, you could try the following expression:
new XPathFilterParameterSpec("samlp:AuthnRequest/UserID",
Collections.singletonMap("samlp", "urn:oasis:names:tc:SAML:2.0:protocol"))
编辑:
消息似乎不是错误,请参阅这里的第426行,它的日志级别应该可能低于INFO。
The message does not seem to be an error, see line 426 here, its log level should probably be lower than INFO though.
我还看了一下 xpath过滤的描述:
对于输入节点集中的每个节点,XPath参数中出现的XPath表达式将被计算一次。结果转换为布尔值。如果布尔值为true,则该节点包含在输出节点集中。如果布尔值为false,则从输出节点集中省略该节点。
The XPath expression appearing in the XPath parameter is evaluated once for each node in the input node-set. The result is converted to a boolean. If the boolean is true, then the node is included in the output node-set. If the boolean is false, then the node is omitted from the output node-set.
所以正确的xpath表达式只包括签名中的 UserID 将是 self :: UserID 。但是不要问我这是否真的对xml签名有意义。规范中的示例似乎使用xpath表达式来包含除签名元素本身之外的所有内容:
So the correct xpath expression to only include the UserID in the signature would be self::UserID. But don't ask me if this actually makes sense for a xml signature. The example in the specification seems to use a xpath expression to include everything except the signature element itself:
not(ancestor-or-self::dsig:Signature)
编辑2:
正确的表达式实际上是 ancestor-or-self :: UserID ,因为过滤器还必须包含文本的子节点 UserID node。
The correct expression is actually ancestor-or-self::UserID since the filter also has to include the text child nodes of the UserID node.
这篇关于Xpath转换在java中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
