I am using xmlsec-1.4.3 I am working on a KeyResolver to return the Key Encryption Key needed by the decryptor. I can write a global KeyResolver and register it in the config file or through KeyResolver.register() I can also register an internal KeyResolver directly on the KeyInfo instance using KeyInfo. registerInternalKeyResolver().
Our users can define multiple web services with different security parameters. Registering the KeyResolvers globally will not work because all KeyResolvers will be called by all web services. Registering and unregistering KeyResolvers constantly is not thread-safe unless we serialize all calls. We don't want to use ClassLoaders to load the xml-sec library more than once. Registering an internal KeyResolver on the KeyInfo is more promising, but the decryptor makes this hard. The decryptor calls the KeyInfo constructor directly instead of going through the XMLCipher factory. Even if it called the factory, the factory is declared private and it cannot be subclassed. The KeyInfo constructed is used immediately. There is no possibility to retrieve it and add a KeyResolver. I could duplicate decryptElement() in my application but that is a last resort. It would solve the problem for my application but the problem would remain for others. Is is possible to do what I want without changing the Apache XML Security source code? If not, a nice solution would be to introduce Internal KeyResolvers on XMLCipher in addition to KeyInfo. Exposing the XMLCipher Factory is another option but it's not clear how much should be part of the public API. I can contribute to a solution if the committers are interested.
