Apache XML Security for Java

Overview

The Apache XML Security for Java library supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002 and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002.

There are a number of different options open to the developer using the library. For XML Signature, three different approaches are available:

• The JSR-105 API: The standard Java XML Digital Signature API. This uses a DOM (in-memory) implementation under-the-hood.
• The Apache Santuario Java DOM API: The older DOM API which pre-dates JSR-105.
• The Apache Santuario Java StAX API: The newer StAX-based (streaming) API which uses far less memory for large XML trees than the DOM approach.

For XML Encryption, two different approaches are available:

• The Apache Santuario Java DOM API: A DOM API for XML Encryption.
• The Apache Santuario Java StAX API: The newer StAX-based (streaming) API which uses far less memory for large XML trees than the DOM approach.

The StAX-based (streaming) functionality is only available as of the 2.0.0 release. Please see the streaming page for more information about how to use this approach.

News

November 2013

Version 1.5.6 of the Apache XML Security for Java library has been released.

Please see the release notes for more information.

This release fixes a new security advisory CVE-2013-4517.

June 2013

Security advisory CVE-2013-2172 has been issued for the Apache XML Security for Java project. Versions 1.4.8 and 1.5.5 have been released, fixing this issue.

Old News

See here for older news.