When I sign or open a signed XML document, I see the following warning messages:
.... Apr 27, 2004 3:40:53 PM org.apache.xml.security.utils.IdResolver getElementById WARNING: Found an Element using an insecure Id/ID/id search method: claim:MemberID ...
What does that mean exactly?
Somewhere in your code you have a reference to a particular ID, but it's not always possible to see what attributes are of type ID. To make it easier to program we have included an IDResolver that instead tries to guess what you want by trying to find attributes called Id/ID/id. This is potentially insecure as someone could introduce XML that would be picked instead, change the XML you tried to sign. It's then possible that when you verify the signature you verify the copy of the XML. Then there is the risk that you take the modified XML and use that instead.
A little bit fabricated, but potentially insecure, depending on how you use the library.
The prefered way would be to use a custom Resolver. See the examples ;)
Erwin
