Gerardo Nevárez Moorillón wrote:
Hello Torsten,
Besides Sean reply before (which is good!), maybe the issue is also
related to the application server your app is using. I'm still on Java5,
but I use the Metro WS Stack, and it includes XmlSec as well, so I faced
a similar problem (although related to classpath library order).
In Tomcat, there is also a endorsed folder, and I had to include the
xmlsec and CL libraries there as well. Maybe there is
a similar mechanism in your app server.
Sean, what is the right way to have these enhancement in Metro as well?
post an issue there?
Yes. Metro uses an optimized xmlsec stack that doesn't always use JSR
105 for XML Signature. I would submit an issue or an RFE to Metro.
Thanks,
Sean
Gerardo
On Tue, Sep 8, 2009 at 9:28 AM, <torsten.reinh...@gi-de.com
<mailto:torsten.reinh...@gi-de.com>> wrote:
Hi Sean and all others,
JDK6u16 is out now since a while, but I still get
_java.lang.RuntimeException_: _javax.xml.crypto.MarshalException_:
unsupported signature algorithm:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
=> Are the stronger algorithms SHA256-RSA re-targeted to another
Update of JDK6 ?
Please let me know, if there is any solution in sight, or any other
workaround,
since I can´t use the endorsed mechanism due to a lot of
side-effects for others.....
thanx, Torsten
*Sean Mullan <sean.mul...@sun.com>*
Gesendet von: sean.mul...@sun.com
27.05.2009 20:37
Bitte antworten an
security-dev@xml.apache.org <mailto:security-dev@xml.apache.org>
An
security-dev@xml.apache.org <mailto:security-dev@xml.apache.org>
Kopie
Thema
Re: JDK6 and xmlsec-1.4.2 issue (unsupported signature algorithm)
torsten.reinh...@gi-de.com <mailto:torsten.reinh...@gi-de.com> wrote:
>
> Hi,
>
> I migrated my application from JDK5 (with external
xmlsec-1.4.2.jar) to
> JDK6 (where xmlsec is included now).
>
> After that I got
> javax.xml.crypto.MarshalException: unsupported signature algorithm:
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> at
>
org.jcp.xml.dsig.internal.dom.DOMSignatureMethod.unmarshal(DOMSignatureMethod.java:86)
> at
>
org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(DOMSignedInfo.java:122)
> at
>
org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(DOMXMLSignature.java:119)
> at
>
org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(DOMXMLSignatureFactory.java:152)
> at
>
org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(DOMXMLSignatureFactory.java:116)
>
> so I tried the lib\endorsed workaround, and put xmlsec-1.4.2 and
> commons-logging into that folder.
> That worked fine for me - but not for my collegues.
>
> They than run into "NoClassDefFoundError" from different points -
one
> were missing the Log4J Logger class implementation (could be
resolved by
> putting log4j.jar to lib\endorsed), the others had trouble with
WSS4J
> and so on.
>
> I wouldn´t like to put all our libraries in the lib\endorsed
folder - is
> there another way to use xmlsec-1.4.2 in JDK6.0 ?
> Is there a plan to include xmlsec-1.4.2 in one of the next JDK
patches
> (>=1.6.0_14) ?
We don't have plans to integrate the entire xmlsec-1.4.2 in Sun's
JDK 6.
XMLSec 1.4.2 is already in JDK 7 (via OpenJDK:
https://jdk7.dev.java.net/). However, I have just opened an RFE to add
support for the stronger SHA256-RSA and SHA512-RSA algorithms and
targeted it to JDK 6u16. In the meantime the only workaround I know is
to use the endorsed libraries mechanism.
--Sean
