DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39029>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39029 ------- Additional Comments From [EMAIL PROTECTED] 2006-03-23 19:05 ------- (In reply to comment #2) First of all thanks for your time and your comments. They are really appreciated. > 1. Change StaxSignatureVerifcator to StaxSignatureVerifier Done, Thanks > 2. I don't see how the current structure would work with an XMLStreamReader > containing more than one signature, the code seems to start from the current > position and seek until end. I think a better "contract" might be that the > factory or filtered reader just read until a matching pair of start sig / end > sig tags are found. That way the caller could get another sig verified by > moving > the XMLStreamReader forward themselves. You can ask the Filter wich signature you want using StaxValidateContext.setSignatureNumber(int number) method, but right now is just hardcode to the first one. Regarding the sugestion for the "contract", I was thinking in two different Uses cases: 1.- Aspect oriented: A part of the code sets the expectations to the verifier filter, and handles the stream reader to the rest of the program that are not "Signature" aware. When the program finish reading the stream it asks the filter for the correctness of the Signature expectations. This the current api, but there's still a lot of things to do. 2.- In the another use case the application is aware of the "Signature" and notifies the Filter when the element referenced begins, and to what signature it belongs. This API is still undone, and I want to wait to finish the "aspect" one before begining with this. > 3. I see plenty of 1.5-isms, this may be ok, but then we need to make sure the > documentation is clear that Java 1.5+ is needed to use this part of the > library. My intention is that the library requires java 1.3 like the rest of the xml-sec library. Using 1.5-ism was just for fun... > 4. Unit tests use RSA, which I believe requires a 3rd-party JCE. Perhaps > having > the unit tests use DSA so they work w/o an external JCE would be better. I > also > plan to use DSA in my code for this reason (don't want to require a 3rd-party JCE). The RSA comes with sun java 1.4 and 1.5 it does not need any 3rd party JCE. Perhaps IBM or BEA jce don't contain this cypher. Again thanks for your sugestions. If you have more don't hesitate... -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
