Raul, Sean, using this technique destroy several of my testcases. The WSS spec defines a special transformation (SecurityTokenReference Transformation, STRTransform). This Transformation does not work when I use the proposed technique.
It seems that namespaces are missing, the trick I used to force an empty default namespace does not work in one testcase etc. This happens when I just copy and existing token from the input document to the output document using importNode and then run c14n on the new document. When using the "new" technique there are the above mentioned problems. Regards, Werner Raul Benito wrote: > You are right Sean. > This is always the best way to handle references. > > Anyway I think that we need a FAQ or little article that summaries the > XML signature best practises. > I have tried to do this in the slides that I send. But I don't think > I manage to do a good job. > But If anyone is interested in written something about it. I promise > to support her/him whatever I can. > > Regards, > > Raul > > On 9/22/05, Sean Mullan <[EMAIL PROTECTED]> wrote: > >>What version of XMLSec are you using? >> >>Also, don't return an XPath node-set of all the nodes of the element's >>subtree. By doing this, you will not take advantage of the optimizations >>in the XMLSec library when canonicalizing subtrees and it could also be >>the reason you need to invoke circumventBug2650 (Raul will probably know >>for sure). Instead return an XMLSignatureInput(element) and let the >>XMLSec library handle the rest. >> >>--Sean >> >>Werner Dittmann wrote: >> >>>Raul, >>> >>>in WSS4J we do Signatures. During the Id resolver we call the circumvent >>>method. AFAIK we do not use XPath to select the nodes to sign, just id >>>references. After locating the element to sign the resolver constructs >>>a node set of all nodes to sign. This node set of course includes >>>all nodes (elements, attributes, text, ...). >>> >>>However, when I disable the call of the circumvent method I >>>get probelms in signature verification. Thus IMHO it is not so easy just >>>to switch off the circumvent method. >>>Thus if we don't use the circumvent method: is it possible that we do >>>not get all required namespace attributes when build the node set? >>> >>>Regards, >>>Werner >>> >>>Raul Benito wrote: >>> >>> >>>>Don't use any xpath transformation. Select what you want to sign with: >>>> >>>><Reference URI="#whatToSign">..</Reference> >>>><NodeToBeSigned id="whatToSign">..</NodeToBeSigned> >>>> >>>>In this way , the circumventBug2650 is not called(and other several >>>>optimizations hit). And you can sign bigger documents. >>>> >>>>Using xpath transformation is always one order the magnitude slower. >>>> >>>>You can see some speed considerations form page 12, in this presentation: >>>>http://r-bg.com/images/SecuringXMLDocuments.pdf >>>> >>>>Regards, >>>> >>>>Raul >>>> >>>>On 9/21/05, John Lanier <[EMAIL PROTECTED]> wrote: >>>> >>>> >>>> >>>>>Hi, >>>>> >>>>>The circumventBug2650 function in XMLUtils takes up a >>>>>significant amount of memory in adding Attributes to >>>>>each node. Is there any effort underway to rewrite >>>>>this in a more memory-friendly way? >>>>> >>>>>I am unable to sign XML documents larger than about >>>>>10MB using the current (1.2.x) code base. (Pentium >>>>>III, 500MB Java heap size). >>>>> >>>>>Any pointers from anybody who worked around this bug >>>>>or managed to sign larger XML docs? >>>>> >>>>>Thanks >>>>>~john >>>>> >>>>> >>>>> >>>>> >>>>>__________________________________ >>>>>Yahoo! Mail - PC Magazine Editors' Choice 2005 >>>>>http://mail.yahoo.com >>>>> >>>> >>>> >>>> >>>>-- >>>>http://r-bg.com >>>> >>> >>> >> > > > -- > http://r-bg.com >
