You are right Sean. This is always the best way to handle references. Anyway I think that we need a FAQ or little article that summaries the XML signature best practises. I have tried to do this in the slides that I send. But I don't think I manage to do a good job. But If anyone is interested in written something about it. I promise to support her/him whatever I can.
Regards, Raul On 9/22/05, Sean Mullan <[EMAIL PROTECTED]> wrote: > What version of XMLSec are you using? > > Also, don't return an XPath node-set of all the nodes of the element's > subtree. By doing this, you will not take advantage of the optimizations > in the XMLSec library when canonicalizing subtrees and it could also be > the reason you need to invoke circumventBug2650 (Raul will probably know > for sure). Instead return an XMLSignatureInput(element) and let the > XMLSec library handle the rest. > > --Sean > > Werner Dittmann wrote: > > Raul, > > > > in WSS4J we do Signatures. During the Id resolver we call the circumvent > > method. AFAIK we do not use XPath to select the nodes to sign, just id > > references. After locating the element to sign the resolver constructs > > a node set of all nodes to sign. This node set of course includes > > all nodes (elements, attributes, text, ...). > > > > However, when I disable the call of the circumvent method I > > get probelms in signature verification. Thus IMHO it is not so easy just > > to switch off the circumvent method. > > Thus if we don't use the circumvent method: is it possible that we do > > not get all required namespace attributes when build the node set? > > > > Regards, > > Werner > > > > Raul Benito wrote: > > > >>Don't use any xpath transformation. Select what you want to sign with: > >> > >> <Reference URI="#whatToSign">..</Reference> > >><NodeToBeSigned id="whatToSign">..</NodeToBeSigned> > >> > >>In this way , the circumventBug2650 is not called(and other several > >>optimizations hit). And you can sign bigger documents. > >> > >>Using xpath transformation is always one order the magnitude slower. > >> > >>You can see some speed considerations form page 12, in this presentation: > >>http://r-bg.com/images/SecuringXMLDocuments.pdf > >> > >>Regards, > >> > >>Raul > >> > >>On 9/21/05, John Lanier <[EMAIL PROTECTED]> wrote: > >> > >> > >>>Hi, > >>> > >>>The circumventBug2650 function in XMLUtils takes up a > >>>significant amount of memory in adding Attributes to > >>>each node. Is there any effort underway to rewrite > >>>this in a more memory-friendly way? > >>> > >>>I am unable to sign XML documents larger than about > >>>10MB using the current (1.2.x) code base. (Pentium > >>>III, 500MB Java heap size). > >>> > >>>Any pointers from anybody who worked around this bug > >>>or managed to sign larger XML docs? > >>> > >>>Thanks > >>>~john > >>> > >>> > >>> > >>> > >>>__________________________________ > >>>Yahoo! Mail - PC Magazine Editors' Choice 2005 > >>>http://mail.yahoo.com > >>> > >> > >> > >> > >>-- > >>http://r-bg.com > >> > > > > > > -- http://r-bg.com
