Re: XML Security Java 1.5.0-RC1 available

Tue, 20 Dec 2011 07:35:13 -0800 

On 12/20/2011 10:19 AM, Chad La Joie wrote:

On Tue, Dec 20, 2011 at 04:58, Colm O hEigeartaigh<cohei...@apache.org>  wrote:

This is already available via the JSR-105 API by setting the
"javax.xml.crypto.dsig.cacheReference" property to true. Apache WSS4J
uses this to build a set of protected element results, that can be
subsequently compared to an XPath expression via WS-SecurityPolicy.


Thanks for the pointer.


It is up to the application calling the signature verification code to
ensure that ID's are unique. The 1.5.0 release tightens this
requirement by not searching the document tree for any IDs in "known"
namespaces. The calling code must find the desired elements and
register them on the context/IdResolver for signature validation to
work.


I really think the library should support this directly and by
default.  Given *zero* systems using the library did the right thing
in the review done by the researchers, I think it's safe to say this
is non-obvious.

Let me ask this a different way.  What speaks against adding this
check in if, via an option, it can be disabled and remove the
performance hit that would be caused?



This is actually fixed in 1.5, unless I'm misunderstanding the issue. 
See the code for registerElementById() in [1]



    public static void registerElementById(Element element, String 
idValue) {

        Document doc = element.getOwnerDocument();
        synchronized (docMap) {

            Map<String, WeakReference<Element>> elementMap = 
docMap.get(doc);

            if (elementMap == null) {

                elementMap = new WeakHashMap<String, 
WeakReference<Element>>();

                docMap.put(doc, elementMap);

                elementMap.put(idValue, new 
WeakReference<Element>(element));

            } else {
                WeakReference<Element> ref = elementMap.get(idValue);
                if (ref != null) {
                    if (!ref.get().equals(element)) {

                        throw new IllegalArgumentException("ID is 
already registered");

                    }
                } else {

                    elementMap.put(idValue, new 
WeakReference<Element>(element));

                }
            }
        }
    }


Note the lines where it checks if the ID is already registered, and 
throws an IllegalArgumentExc.


--Sean


[1] 
http://svn.apache.org/viewvc/santuario/xml-security-java/tags/1.5.0-RC1/src/main/java/org/apache/xml/security/utils/IdResolver.java?view=markup





















					Reply via email to