[jira] [Commented] (WSS-715) Set com.sun.org.apache.xml.internal.security.ignoreLineBreaks to the JDK provider

Mon, 27 Jan 2025 11:01:10 -0800 


    [ 
https://issues.apache.org/jira/browse/WSS-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17921511#comment-17921511
 ] 

Piotr Karwasz commented on WSS-715:
-----------------------------------

My 2 cents:

Setting the "com.sun.org.apache.xml.internal.security.ignoreLineBreaks" Java 
system property would cause a race condition in the initialization of the 
embedded {{{}XMLSignatureFactory{}}}. If an application {{A}} only uses the XML 
Digital Signature API, while an application B uses WSS4J, the presence or 
absence of new lines in XML signature will depend on the start order of the two 
applications. If {{A}} starts first, signatures will have new lines, if {{B}} 
starts first, signatures will not have new lines.

Setting "org.apache.xml.security.ignoreLineBreaks" causes similar problems, 
since Java system properties are global. However, since each application can 
have its own copy of Apache XML Security, application {{B}} will always ignore 
line breaks. As for application {{A}}, its line breaks setting will depend, 
whether it starts before (line breaks) or after (no line breaks) application 
{{B}}.

> Set com.sun.org.apache.xml.internal.security.ignoreLineBreaks to the JDK 
> provider
> ---------------------------------------------------------------------------------
>
>                 Key: WSS-715
>                 URL: https://issues.apache.org/jira/browse/WSS-715
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 2.3.4, 2.4.3, 3.0.4
>            Reporter: Jim Ma
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 2.3.5, 4.0.0, 2.4.4, 3.0.5
>
>
> After https://issues.apache.org/jira/browse/WSS-661,the Provider like
> org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactor will be inserted 
> after
> org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory from JDK, hence the 
> "com.sun.org.apache.xml.internal.security.ignoreLineBreaks" property should 
> be set explicitly as this JDK Provider will be selected.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to