Frequently Asked Questions - Apache XML Security for Java

Table of Contents

1. Questions about Java

1.1. I have a Java-(security/cryptography) problem. Can you help me?

...

Example: Imagine that you want to create a signature to store it on a web server as http://www.acme.com/signatures/sig1.xml^{Image Removed}. So BaseURI="http://www.acme.com/sig1.xml". This means that if you create a Reference with URI="./index.html", the library can easily use it's HTTPResourceResolver to fetch http://www.acme.com/index.html^{Image Removed} without that you have to say URI="http://www.acme.com/index.html".

...

Of course, there are cross-dependencies: e.g. a KeyResolver named RetrievalMethodResolver uses the ResourceResolver framework to retrieve a public key or certificate from an arbitrary location.

4. Secure Validation

A property was added in the 1.5.0 release to enable "secure validation". This property is true by default from the 2.3.0 release, but false for earlier releases. When set to true, it enforces the following processing rules:

• Limits the number of Transforms per Reference to a maximum of 5.
• Does not allow XSLT transforms.
• Does not allow a RetrievalMethod to reference another RetrievalMethod.
• Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
• Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
• MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
• Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
• 1.5.6 Does not allow DTDs

This functionality is supported in the core library through additional method signatures which take a boolean, and in the JSR-105 API via the property "org.apache.jcp.xml.dsig.secureValidation, e.g.:

XMLValidateContext context = new DOMValidateContext(key, elem);
context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);