...
The StAX-based (streaming) functionality is only available as of the 2.0.0 release. Please see the Streaming XML Security page for more information about how to use this approach.
News
November 2023
Version 4.0.1 of the Apache XML Security for Java library has been released, containing a bug fix ( Image AddedSANTUARIO-609 - Remove call to Signature.getProvider() in debug log RESOLVED )
October 2023
Versions 4.0.0, 3.0.3, 2.3.4 and 2.2.6 of the Apache XML Security for Java library have been released. A security advisory has been fixed in these releases:
...
Versions 3.0.2 and 2.3.3 of the Apache XML Security for Java library have been released. Support for the EdDSA has been added as part of these releases.
September 2022
Versions 3.0.1 and 2.3.2 of the Apache XML Security for Java library have been released. The main change is to remove Xalan as a provided (optional) dependency. This means that support for the XML Signature here() function is removed by default, but can be configured if needed (see this test for an example which plugs in this custom XPath implementation).
May 2022
Versions 3.0.0, 2.3.1, 2.2.4 and 2.1.8 of the Apache XML Security for Java library have been released. 3.0.0 is a new major release of the library that contains a change to the jakarta JAXB namespace for the streaming library. 2.1.8 is the last planned release of 2.1.x.
November 2021
Version 2.3.0 of the Apache XML Security for Java library has been released. This is a major new release of the library. Some of the significant changes include:
- A rewrite for the StAX output processor chain to make it
deterministic - https://issues.apache.org/jira/browse/SANTUARIO-555 - Secure Validation is now enabled by default -
https://issues.apache.org/jira/browse/SANTUARIO-574 - Local + HTTP ResourceResolvers are disabled by default -
https://issues.apache.org/jira/browse/SANTUARIO-573
September 2021
Version 2.2.3 and 2.1.7 of the Apache XML Security for Java library has been released. Please see the release notes for more information.
These releases contain a fix for a new CVE:
- CVE-2021-40690 - Bypass of the secureValidation property
Please refer to the security advisories page for further information.
Old News
See here for older news.