When a XML comment is present within the <EntityDescriptor> element in a metadata file, an UnmarshallingException occurs. In previous versions, XML comments did not cause any issues. Is there a reason why XML comments are no longer permitted in the IDP metadata? Note that XML comments outside the <EntityDescriptor> will not cause an exception.
at java.base/java.lang.Thread.run(Thread.java:1583) Caused by: org.opensaml.core.xml.io.UnmarshallingException: Saw illegal Comment node in parsed DOM, likely due to improper parser configuration
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:146)
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:348)
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:139)
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:348)
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:139)
at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:60)
... 66 common frames omitted
Sample XML file:
<!-- this comment is fine and is ignored by OpenSAML-->
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.acme.com/idp/custom_shibboleth">
<!-- this comment is illegal and will fail in the Unmarshalling -->
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<!-- snip -->
</EntityDescriptor>
Environment
None
Activity
Scott Cantor
August 23, 2024 at 7:50 PM
Thanks for confirming. Of course, as we noted online, using your own parser with OpenSAML opens a huge range of security risks to begin with.
Brent Putman
August 23, 2024 at 7:44 PM
Yes. IIRC we’ve never supported comments in the XMLObject code. Chad’s position was that it’s too difficult and provides no value. So the parser must strip them, and that’s why our ParserPool is configured that way by default. So configuring the JAXP parser used to ignore comments was a requirement.
Scott Cantor
August 23, 2024 at 3:57 PM
Our ParserPool objects default to ignoring comments. Also not a change in 5.
I would have to guess your parser configuration is what changed, not our code.
Scott Cantor
August 23, 2024 at 3:28 PM
That code’s been in there a while, and is unilateral. My guess is we’ve never allowed comments, and that perhaps we strip them via the parser we use. This doesn’t appear to be change since 5, at least not a localized one.
When a XML comment is present within the <EntityDescriptor> element in a metadata file, an UnmarshallingException occurs. In previous versions, XML comments did not cause any issues. Is there a reason why XML comments are no longer permitted in the IDP metadata? Note that XML comments outside the <EntityDescriptor> will not cause an exception.
at java.base/java.lang.Thread.run(Thread.java:1583) Caused by: org.opensaml.core.xml.io.UnmarshallingException: Saw illegal Comment node in parsed DOM, likely due to improper parser configuration at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:146) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:348) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:139) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:348) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:139) at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:60) ... 66 common frames omittedSample XML file:
<!-- this comment is fine and is ignored by OpenSAML--> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://idp.acme.com/idp/custom_shibboleth"> <!-- this comment is illegal and will fail in the Unmarshalling --> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> <!-- snip --> </EntityDescriptor>