On 11/16/11 1:08 PM, "Yang Yu" <[email protected]> wrote: >Right on the point, Scott. Suppose an application always calls >IdResolver.registerElementById() before validating the signature, then >the exhaustive search shouldn't be necessary, correct?
It will in general constantly fail unless you have application code specifically set up to deal with the problem. In turn, the IdResolver interface is, I think, an extension point that can be used to address that. You can also manually set IDness via DOM3. Of course, specifics vary. It depends on the application. >I'm wondering if it's possible to remove the call to >IdResolver.getElementBySearching in xml sec library? I believe it will be an option to disable it, and off by default, in a future release. -- Scott
