Apache Santuario
- Home
- Download
- Security Advisories
- FAQ
- Team
- Contributing
- Mailing Lists
- Issue Tracking
- History
- Old News
Apache XML Security for Java
- Index
- Download
- Release Notes
- FAQ
- API
- Interoperability
Table of Contents |
---|
...
Of course, there are cross-dependencies: e.g. a KeyResolver named RetrievalMethodResolver uses the ResourceResolver framework to retrieve a public key or certificate from an arbitrary location.
A property was added in the 1.5.0 release to enable "secure validation". This property is true by default from the 2.3.0 release, but false for earlier releases. When set to true, it enforces the following processing rules:
This functionality is supported in the core library through additional method signatures which take a boolean, and in the JSR-105 API via the property "org.apache.jcp.xml.dsig.secureValidation, e.g.:
Code Block | ||||
---|---|---|---|---|
| ||||
XMLValidateContext context = new DOMValidateContext(key, elem);
context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE); |
Warning |
---|
Secure Validation should be enabled in production as otherwise various attacks might be possible |