It looks really weird to me.
Perhaps the documentBuilder is not namespace aware...
See javadoc for DocumentBuilder...
setNamespaceAware
public void setNamespaceAware(boolean awareness)
Specifies that the parser produced by this code will provide
support for XML namespaces. By default the value of this is set to
false
Parameters:
awareness - true if the parser produced will provide support
for XML namespaces; false otherwise.
can you test again with this change?
Regards,
On 5/5/06, James Reeves <[EMAIL PROTECTED]> wrote:
Hi,
I think I've discovered two bugs in the c14n methods of XML Security.
Your site recommends bringing up bugs on the mailing list first (a
sensible precaution!), so I'll detail my findings here and see if anyone
can confirm if these bug is valid. I'm using the Java 1.3 version of XML
Security.
The first potential problem is that XML security doesn't appear to order
namespace attributes in the same manner as the W3C spec. The W3C c14n
spec gives an example here: http://www.w3.org/TR/xml-c14n#Example-SETags
In the W3C example, it transforms this tag:
<e5 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
xmlns:b="http://www.ietf.org";
xmlns:a="http://www.w3.org";
xmlns="http://example.org"/>
Into this (ignore the word-wrapping - it's all one line):
<e5 xmlns="http://example.org"; xmlns:a="http://www.w3.org";
xmlns:b="http://www.ietf.org"; attr="I'm" attr2="all" b:attr="sorted"
a:attr="out"></e5>
I tried the same test using the XMLUtils.outputDOMc14nWithComments
method, and it returned this result (again, ignore the word-wrapping):
<e5 a:attr="out" attr="I'm" attr2="all" b:attr="sorted"
xmlns="http://example.org"; xmlns:a="http:
//www.w3.org" xmlns:b="http://www.ietf.org";></e5>
The second problem is that in the spec, empty xmlns attributes are
removed. Thus, this original tag:
<e6 xmlns="" xmlns:a="http://www.w3.org";>
Becomes this, when c14n'd:
<e6 xmlns:a="http://www.w3.org";>
The XMLUtils.outputDOMc14nWithComments method does not remove the
redundant xmlns attribute:
<e6 xmlns="" xmlns:a="http://www.w3.org";>
The code I used to obtain all of this output is attached.
--
James Reeves
http://www.hybridfour.com
import java.io.StringReader;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;
public class XmlC14nTest
{
public static void main(String[] args) throws Exception
{
org.apache.xml.security.Init.init();
String xml = "<!DOCTYPE doc [<!ATTLIST e9 attr CDATA
\"default\">]>\n" +
"<doc>\n" +
" <e1 />\n" +
" <e2 ></e2>\n" +
" <e3 name = \"elem3\" id=\"elem3\"
/>\n" +
" <e4 name=\"elem4\" id=\"elem4\"
></e4>\n" +
" <e5 a:attr=\"out\" b:attr=\"sorted\" attr2=\"all\"
attr=\"I'm\"\n" +
"
xmlns:b=\"http://www.ietf.org\"\n"; +
" xmlns:a=\"http://www.w3.org\"\n";
+
"
xmlns=\"http://example.org\"/>\n" +
" <e6 xmlns=\"\"
xmlns:a=\"http://www.w3.org\";>\n" +
" <e7
xmlns=\"http://www.ietf.org\";>\n" +
" <e8 xmlns=\"\"
xmlns:a=\"http://www.w3.org\";>\n" +
" <e9 xmlns=\"\"
xmlns:a=\"http://www.ietf.org\"/>\n" +
" </e8>\n" +
" </e7>\n" +
" </e6>\n" +
"</doc>\n";
DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document document = builder.parse(new InputSource(new
StringReader(xml)));
XMLUtils.outputDOMc14nWithComments(document, System.out);
}
}
--
http://r-bg.com
