Xpath 转换在 Java 中不起作用 [英] Xpath transformation not working in java
问题描述
这是我的 xml 文档.我只想使用 xml 签名对 userID 部分进行签名.我正在使用 xpath 转换来选择该特定元素.
This is my xml document. I want to sign only the userID part using xml signature. I am using xpath transformation to select that particular element.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Version="2.0" IssueInstant="2012-05-22T13:40:52:390" ProtocolBinding="urn:oasis:na
mes:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="localhos
t:8080/consumer.jsp">
<UserID>
xyz
</UserID>
<testing>
text
</testing>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://localhost:8080/saml/SProvider.jsp
</saml:Issuer>
</samlp:AuthnRequest>
我正在使用以下代码添加转换:
I am using the following code to add the transformations :
transformList.add(exc14nTransform);
transformList.add(fac.newTransform(Transform.XPATH, new XPathFilterParameterSpec("samlp:AuthnRequest/UserID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"")));
但我得到以下信息:
But I get the following :
Original Exception was javax.xml.transform.TransformerException: Extra illegal t
okens: 'xmlns', ':', 'samlp', '=', '"urn:oasis:names:tc:SAML:2.0:protocol"'
所以,我尝试删除 xmlns 部分.
So, I tried removing the xmlns part.
transformList.add(fac.newTransform(Transform.XPATH, new XPathFilterParameterSpec("samlp:AuthnRequest/UserID")));
但它签署了整个文档并给出以下消息:
But it signs the whole document and gives the following message :
com.sun.org.apache.xml.internal.security.utils.CachedXPa
thFuncHereAPI fixupFunctionTable
INFO: Registering Here function
有什么问题?
编辑
正如@Jörn Horstmann 所说,这条消息只是一个日志或类似的东西.现在的问题是,即使在给出 xpath 查询之后,整个文档都会被签名,而不仅仅是用户 ID.我通过在签署文档后更改
What is the problem?
EDIT
As @Jörn Horstmann said the message is just a log or something like that. Now the problem is that even after giving the xpath query the whole document is signed instead of just the UserID. I confirmed this by changing the value of <testing>element after signing the document. The result is that the document does not get validated(If it signed only the UserID part, then any changes made to <testing> should result in a valid signature .)
推荐答案
这不是有效的 xpath 表达式,无法在表达式中声明命名空间前缀.
This is not a valid xpath expression, there is no way to declare namespace prefixe inside the expression.
samlp:AuthnRequest/UserID xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
XPathFilterParameterSpec 确实有另一个构造函数允许指定命名空间前缀的映射,您可以尝试以下表达式:
XPathFilterParameterSpec does have another constructor that allows to specify a mapping of namespace prefixes, you could try the following expression:
new XPathFilterParameterSpec("samlp:AuthnRequest/UserID",
Collections.singletonMap("samlp", "urn:oasis:names:tc:SAML:2.0:protocol"))
该消息似乎不是错误,请参阅 这里是第 426 行,不过它的日志级别应该比 INFO 低.
The message does not seem to be an error, see line 426 here, its log level should probably be lower than INFO though.
我还查看了 xpath 过滤的描述:
出现在 XPath 参数中的 XPath 表达式为输入节点集中的每个节点计算一次.结果被转换为布尔值.如果布尔值为真,则该节点包含在输出节点集中.如果布尔值为假,则从输出节点集中省略该节点.
The XPath expression appearing in the XPath parameter is evaluated once for each node in the input node-set. The result is converted to a boolean. If the boolean is true, then the node is included in the output node-set. If the boolean is false, then the node is omitted from the output node-set.
因此,在签名中仅包含 UserID 的正确 xpath 表达式将是 self::UserID.但是不要问我这对于 xml 签名是否真的有意义.规范中的示例似乎使用 xpath 表达式来包含除签名元素本身之外的所有内容:
So the correct xpath expression to only include the UserID in the signature would be self::UserID. But don't ask me if this actually makes sense for a xml signature. The example in the specification seems to use a xpath expression to include everything except the signature element itself:
not(ancestor-or-self::dsig:Signature)
编辑 2:
正确的表达式实际上是ancestor-or-self::UserID,因为过滤器还必须包含UserID 节点的文本子节点.
The correct expression is actually ancestor-or-self::UserID since the filter also has to include the text child nodes of the UserID node.
这篇关于Xpath 转换在 Java 中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
