Hi Nathan, I'm not aware of any way around the behaviours you described. With regards to cacheReference,WSS4J needs to set this so that we can accurately verify what was actually signed. Possibly this could be made more fine-grained in Apache Santuario - to avoid caching when we have a stream of bytes as opposed to a DOM element.
Colm. On Thu, Nov 21, 2019 at 6:32 AM Nathan Clement <[email protected]> wrote: > Hi, > > I'm wondering whether it's possible to use WSS4J with attachments without > loading the attachment into memory. The > org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform class > uses mark and reset operations to allow the attachment content to be > re-read. However in practice most streams (including FileInputStream) do > not support the mark operation. This results in the attachment stream being > wrapped in a BufferedInputStream, thus loading the full attachment content > into memory. > > Another issue is that the > org.apache.wss4j.dom.processor.SignatureProcessor sets > "javax.xml.crypto.dsig.cacheReference" to true on the XMLValidateContext, > which causes the attachment content to be loaded into memory. > > Is there any way to avoid the above behaviours? I was hoping to be able to > process signed attachments without the full content being read into memory. > > Nathan > > ________________________________ > > Please consider our environment before printing this email. > > WARNING - This email and any attachments may be confidential. If received > in error, please delete and inform us by return email. Because emails and > attachments may be interfered with, may contain computer viruses or other > defects and may not be successfully replicated on other systems, you must > be cautious. Qvalent cannot guarantee that what you receive is what we > sent. If you have any doubts about the authenticity of an email sent by > Qvalent, please contact us immediately. > > It is also important to check for viruses and defects before opening or > using attachments. Qvalent's liability is limited to resupplying any > affected attachments. > > The information provided in this email is general in nature and does not > constitute personal financial advice. > > Qvalent is a wholly owned subsidiary of the Westpac Banking Corporation. > > Qvalent Pty Ltd ABN 71 088 314 827 >
