I've used both, out of necessity because the Apache version didn't exist yet. The real issue is the parser. xmlsec is libxml2-based, while Apache is Xerces-based. That should be the determining factor for most applications, IMHO. libxml2 and xmlsec are C-based, while the Apache/Xerces tools are C++-based.
I found xmlsec much harder to use with much more verbose code (mainly because it's in C), and it tried to do way too much for me in the area of certificate evaluation, something Apache leaves entirely to me. That alone put me off it. Neither was terrifically documented, but that's par for the course. I will say I haven't used the encryption support in either library. But xmlsec is more common (C is more common than C++) and seems to be more widely used. That's probably always going to be true of any C vs. C++ comparison. I looked at it from the point of view that if Berin (the main committer) dropped the project, I felt I could handle the Apache code base myself internally if I had to. I was in no way willing to do that with xlmsec. Just my thoughts. -- Scott
