http://xml.apache.org/http://www.apache.org/http://www.w3.org/

Home

Readme
FAQs
Download
Repository
Installation
Resolver-Mania
Interoperability

API Docs

History
Latest GUMP

Questions
 

Answers
 
Where's the archive for this list?
 

Currently, Gmane is archiving the mailing list. This service also makes the mailinglist reachable with a news reader.

If this service ever fails/stops, you can still use the ezmlm mailing list controller to recieve previous messages by email. Send an empty email to security-dev-help@xml.apache.org for detailed information on how to use this service


Where can I learn about XML?
 

There are plenty of resources on the web, just use any search engine. You might start at The XML FAQ or http://www.zvon.org/.


Where can I learn about XML Digital Signatures?
 

The best place to start is W3C XML-Signature Syntax and Processing. Links on XML security in general can be found on the XML Security Page.


Where can I learn about XML Encryption?
 

The best place to start is W3C XML Encryption Syntax and Processing. Links on XML security in general can be found on the XML Security Page


Where can I learn about Cryptography in general?
 

A lot of resources exist on the web, including the 'green bible' for cryptography: Handbook of Applied Cryptography. The Handbook of Applied Cryptography is completely online and it should satisfy most of your cryptographic hunger. Disadvantage of it is that it goes rather deep, so it isn't a executive overview or a "Learn XYZ in 21 days"-book


I have a Java-(security/cryptography) problem. Can you help me?
 

Go to the Java Technology Forums of Sun. You can find forums where you can ask questions like "How do I generate a keypair", etc.


I have a Java-XML problem.
 

Go to the Java Technology Forums of Sun, section Java Technology & XML and have a look at Apache Xerces2.


I'm using Crimson, but it throws Exceptions. Why?
 

Crimson is not supported at the moment. The main reason is that Crimson did not support the org.w3c.dom.traversal.TreeWalker interface in the past. Additionally, it does not support the org.apache.xerces.dom.DocumentImpl.putIdentifier(String ID, Element e) functionality where Xerces allows us to enable ID attributes during document generation.

Use Apache Xerces2 instead of Crimson.


What's up with the Bouncy Castle CSP? / Where is my CSP?
 

There is no JCE bundled together with this distribution. This is because the Apache Project web site is hosted in the US where some export restrictions apply to the cryptographic primitives.

The nice guys from the Legion of Bouncy Castle where so helpful to supply their JCE in a simple JAR package so that we can simply fetch it during the compilation process and put it into the libs/ directory. When you use the ant makefile build.xml and simply say ant compile or ant get-jce, ant tries to fetch this JAR from the australian server. After that step, the compilation works completely.

The ant make tools initiates an automated download of the BouncyCastle JCE. The file is downloaded into the libs/ directory and a "bc-" is prepended to the filename. This is done because we want the provider name (bc means BouncyCastle) being visible in the JAR's filename.

More information can be found in the Installation section.

NoteThe fact that we use Bouncy in this project does not mean that you must use it, it's only the default. If you take a look at the configuration src/org/apache/xml/security/resource/config.xml, you'll notice the sections which do integrate these alternative JCEs.

How do I enable/turn off logging?
 

2BDone


How do I use the package to generate and verify a signature?
 

Checkout the samples in src_samples/org/apache/xml/security/samples/signature/.

NoteThe samples divide into two groups: Samples that create and samples that verify Signatures. Eventually, you should adjust the verifying program to another filename if you get FileNotFoundExceptions.

What is the meaning of BaseURI?
 

When you work with URIs like "http://www.example.com/index.html", it is quite sure what you mean as this is an absolute URL, i.e. it is clear which protocol ise used to fetch which file from which server. When you use such a URL inside a signature, the software can automatically figure out what you sign. But when you sign something in your local file system or if you use a relative path like "../1.txt", it's not possible to understand this reference without some context. This context is the BaseURI. For instance, if you sign URI="../1.txt" and the BaseURI="file:///home/user/work/signature.xml", it is clear that the file BaseURI="file:///home/user/1.txt" is to be signed. But when you create the signature, the file BaseURI="file:///home/user/work/signature.xml" does not yet exist; therefore, you have to supply the URL where you intend to store the signature later (relative to the signed objects).

The String BaseURI is the systemID on which the Object will be stored in the future. This is needed to resolve relative links in the Reference elements which point to the filesystem or something similar.

Example: Imagine that you want to create a signature to store it on a web server as http://www.acme.com/signatures/sig1.xml. So BaseURI="http://www.acme.com/sig1.xml". This means that if you create a Reference with URI="../index.html", the library can easily use it's HTTPResourceResolver to fetch http://www.acme.com/index.html without that you have to say URI="http://www.acme.com/index.html".


I'm using JDK1.4.0
 

After SUN released the Java (TM) 2 Platform Standard Edition v1.4.0 , the xml-security package stopped working. This is a known problem: SUN packaged a beta of Xalan into the JDK1.4.0, but the xml-security package requires a stable version of Xalan (v2.2.0 or later). To fix the problem, you have to put the xalan.jar into a special directory in your JDK: j2sdk1.4.0/jre/lib/endorsed/xalan.jar. If you installed an out-of-the-box JDK1.4 (e.g. on Windows 2000), the "endorsed" directory does not exist: you'll have to create it by hand. Putting this JAR to another location like lib/ext WILL NOT WORK.

For more on that, you can also check the Unofficial JAXP FAQ .


Some unit tests fail: org.apache.xml.security.test.c14n.implementations.ExclusiveC14NInterop.test_Y4: junit.framework.AssertionFailedError: 8 26
 

The above message states that the references nr. 8 and 26 do fail. This is because you're using a buggy version of Xalan. These references contain the XPath expression

((count(ancestor-or-self::node()) mod 2) = 1)))

in the XPath. If you have a look at Bugzilla Bug 9575, count() returns wrong value on ancestor-or-self::node(), you see the bug report. Committed to CVS on 2002-07-25. Guess your Xalan is from before that date.




Copyright © 2001 The Apache Software Foundation. All Rights Reserved.