> I'll rephrase my question: How do I sign and verify Documents that I only
> have as Java objects, because they are retrieved via Java deserialisation? In
> particular, what is the BaseURI expected to be in such cases?
That depends on how the Signature relates to the content. Is it enveloped,
enveloping, or detached?
The BaseURI doesn't matter in enveloped or enveloping cases, only the URI in
the Reference element matters. The signature constructor takes a base URI, for
which I use an empty string to prevent anything inadvertent from happening. The
addDocument method creates References, and I use a fragment identifier there
("#foo"). If you don't use IDs, you'd use an empty string and then add XPath
other transforms.
> Sorry for all these questions and demand on your time, but XML Security
> needs more documentation, quite badly, I think.
These libraries just aren't set up for novices. Mine aren't either.
Documentation takes a lot of effort and not one person who has ever complained
about it ever donates any back, so that kind of says it all. At least there are
some samples here. That's more than I bother to do.
-- Scott
