Welcome to Apache Santuario™
The Apache Santuario™ project is aimed at providing implementation of the primary security standards for XML:
- XML-Signature Syntax and Processing
- XML Encryption Syntax and Processing.
Two libraries are currently available.
- Apache XML Security for Java: This library includes the standard JSR-105 (Java XML Digital Signature) API, a mature DOM-based implementation of both XML Signature and XML Encryption, as well as a more recent StAX-based (streaming) XML Signature and XML Encryption implementation.
- Apache XML Security for C++: This library includes a mature Digital Signature and Encryption implementation using a proprietary C++ API on top of the Xerces-C XML Parser's DOM API. It includes a pluggable cryptographic layer, but support for alternatives to OpenSSL are less complete and less mature.
Version 4.0.0-M1 of the Apache XML Security for Java library has been released. This is a preview release of the forthcoming 4.0.0 release which is made available for testing, it should not be used in production. The main changes are:
- Java 11 requirement
- Removing SLF4J and using System.Logger
- AutoCloseable for several types
Version 2.2.5 of the Apache XML Security for Java library has been released. It contains some dependency updates to fix CVE reports.
Versions 3.0.2 and 2.3.3 of the Apache XML Security for Java library have been released. Support for the EdDSA has been added as part of these releases.
Versions 3.0.1 and 2.3.2 of the Apache XML Security for Java library have been released. The main change is to remove Xalan as a provided (optional) dependency. This means that support for the XML Signature here() function is removed by default, but can be configured if needed (see this test for an example which plugs in this custom XPath implementation).
Version 2.3.0 of the Apache XML Security for Java library has been released. This is a major new release of the library. Some of the significant changes include:
- A rewrite for the StAX output processor chain to make it
deterministic - https://issues.apache.org/jira/browse/SANTUARIO-555
- Secure Validation is now enabled by default -
- Local + HTTP ResourceResolvers are disabled by default -
Version 2.0.4 of the Apache XML Security for C++ library has been released. This release fixes a regression in 2.0.3 allowing the code to build on pre-1.1 OpenSSL versions.
See here for old news.