fix problem with XML parser and additional features options

2 files changed, 33 insertions, 23 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
index a4ab92f58..3d69b0380 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
@@ -23,14 +23,9 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
 
 import java.io.IOException;
-import java.io.StringWriter;
 
-import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
 
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.provider.FilterException;
@@ -41,6 +36,7 @@ import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
 
 /**
  * @author tlenz
@@ -69,19 +65,21 @@ public class MOASPMetadataSignatureFilter implements MetadataFilter {
 				EntityDescriptor entityDes = (EntityDescriptor) metadata;
 				//check signature;
 				try {
-					Transformer transformer = TransformerFactory.newInstance()
-							.newTransformer();	
-					StringWriter sw = new StringWriter();
-					StreamResult sr = new StreamResult(sw);
-					DOMSource source = new DOMSource(metadata.getDOM());
-					transformer.transform(source, sr);
-					sw.close();
-					String metadataXML = sw.toString();
+					byte[] serialized = DOMUtils.serializeNode(metadata.getDOM(), "UTF-8");
+					
+//					Transformer transformer = TransformerFactory.newInstance()
+//							.newTransformer();	
+//					StringWriter sw = new StringWriter();
+//					StreamResult sr = new StreamResult(sw);
+//					DOMSource source = new DOMSource(metadata.getDOM());
+//					transformer.transform(source, sr);
+//					sw.close();
+//					String metadataXML = sw.toString();
 					
 					SignatureVerificationUtils sigVerify = 
 							new SignatureVerificationUtils();
 					VerifyXMLSignatureResponse result = sigVerify.verify(
-							metadataXML.getBytes(), trustProfileID);
+							serialized, trustProfileID);
 					
 					//check signature-verification result
 					if (result.getSignatureCheckCode() != 0) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index f97d646b6..47ea91753 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -46,20 +46,20 @@
 

 package at.gv.egovernment.moa.id.util;

 

+import java.io.ByteArrayInputStream;

 import java.io.IOException;

-import java.io.StringReader;

 import java.net.MalformedURLException;

 import java.net.URL;

+import java.util.Collections;

+import java.util.HashMap;

 import java.util.List;

+import java.util.Map;

 import java.util.regex.Matcher;

 import java.util.regex.Pattern;

 

 import javax.servlet.http.HttpServletRequest;

-import javax.xml.parsers.DocumentBuilder;

-import javax.xml.parsers.DocumentBuilderFactory;

 import javax.xml.parsers.ParserConfigurationException;

 

-import org.xml.sax.InputSource;

 import org.xml.sax.SAXException;

 

 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;

@@ -68,12 +68,22 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;

 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;

 import at.gv.egovernment.moa.logging.Logger;

+import at.gv.egovernment.moa.util.DOMUtils;

 import at.gv.egovernment.moa.util.MiscUtil;

 import at.gv.egovernment.moa.util.StringUtils;

 

 

 public class ParamValidatorUtils extends MOAIDAuthConstants{

    

+	  private static final Map<String, Object> parserFeatures =

+			  Collections.unmodifiableMap(new HashMap<String, Object>() {

+					private static final long serialVersionUID = 1L;

+					{	

+						put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true);

+						

+					}

+			  });

+	

    /**

     * Checks if the given target is valid

     * @param target HTTP parameter from request

@@ -482,11 +492,13 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
 		   return false;

 	   

 	   Logger.debug("Ueberpruefe Parameter XMLDocument");

-	   try {   

-		   DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

-		   DocumentBuilder builder = factory.newDocumentBuilder();

-		   InputSource is = new InputSource(new StringReader(document));

-		   builder.parse(is);

+	   try {

+		   DOMUtils.parseXmlValidating(new ByteArrayInputStream(document.getBytes()), parserFeatures);

+		   

+//		   DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

+//		   DocumentBuilder builder = factory.newDocumentBuilder();

+//		   InputSource is = new InputSource(new StringReader(document));

+//		   builder.parse(is);

 		   

 		   Logger.debug("Parameter XMLDocument erfolgreich ueberprueft");

 		   return true;