You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Wally Dennis <Wa...@hewitt.com> on 2008/03/28 18:06:05 UTC
XML Signature debugging
I am trying to enable debug logging on XML Signature creation/validation - I
have read Sean's blog entries here:
http://weblogs.java.net/blog/mullan/archive/2006/02/more_xml_signat_1.html
http://weblogs.java.net/blog/mullan/archive/2008/03/configuring_the.html#comment
s
and these do describe the type of logging I need, but unless I am missing
something (which is entirely possible), these won't work in my situation.
I am using xml-security in the context of Axis2/Rampart/WSS4J included inside
my J2EE application running on IBM Websphere 6.0 (JDK 1.4). We are using log4j
for all of our logging tasks. Based on the information in the blog posts, I
was able to locate the classes containing the logging statements, but when I
actually run my code, I never reference these classes. The logging statements
are in classes (ex: DigesterOutputStream) within the org.jcp.xml.dsig.internal
package, but my application is using classes in the
org.apache.xml.security.utils package.
Any ideas or assistance you can provide would be most appreciated.
Thanks.
Re: XML Signature debugging
Posted by Sean Mullan <Se...@Sun.COM>.
It should work. Try:
java -Djava.util.logging.config.file=logging.properties ...
where logging.properties contains:
handlers= java.util.logging.ConsoleHandler
.level= INFO
java.util.logging.ConsoleHandler.level = FINER
java.util.logging.ConsoleHandler.formatter =
java.util.logging.SimpleFormatter
org.jcp.xml.dsig.internal.level = FINER
org.apache.xml.security.level = FINER
--Sean
Wally Dennis wrote:
> I am trying to enable debug logging on XML Signature creation/validation - I
> have read Sean's blog entries here:
>
> http://weblogs.java.net/blog/mullan/archive/2006/02/more_xml_signat_1.html
> http://weblogs.java.net/blog/mullan/archive/2008/03/configuring_the.html#comment
> s
>
> and these do describe the type of logging I need, but unless I am missing
> something (which is entirely possible), these won't work in my situation.
>
> I am using xml-security in the context of Axis2/Rampart/WSS4J included inside
> my J2EE application running on IBM Websphere 6.0 (JDK 1.4). We are using log4j
> for all of our logging tasks. Based on the information in the blog posts, I
> was able to locate the classes containing the logging statements, but when I
> actually run my code, I never reference these classes. The logging statements
> are in classes (ex: DigesterOutputStream) within the org.jcp.xml.dsig.internal
> package, but my application is using classes in the
> org.apache.xml.security.utils package.
>
> Any ideas or assistance you can provide would be most appreciated.
>
> Thanks.
>
Re: XML Signature debugging
Posted by Sean Mullan <Se...@Sun.COM>.
Wally Dennis wrote:
>
> Thanks Sean - since I am a bit new to this, would I create the RFE in
> bugzilla?
Yes, just goto https://issues.apache.org/bugzilla/index.cgi and select
"Enter a new bug report" and file it under the security category. You
will need to first create a bugzilla account if you don't have one.
> Is there a way I can make the additions myself and submit
> them for validation/inclusion?
No, not unless you have commit access.
However, you can add the changed files to the bug report as attachments
or better yet, the output of the diff command so that they can easily be
integrated as patches.
--Sean
Re: XML Signature debugging
Posted by Wally Dennis <Wa...@hewitt.com>.
Thanks Sean - since I am a bit new to this, would I create the RFE in
bugzilla? Is there a way I can make the additions myself and submit them
for validation/inclusion?
"Sean Mullan" <Se...@Sun.COM>
Sent by: Sean.Mullan@Sun.COM
03/31/2008 11:16 AM
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: XML Signature debugging
Wally Dennis wrote:
>
> Thank you very much for the quick responses.
>
> No - I'm not getting any messages at all from the XML Security code. It
> appears as though the logging statements that exist in the JSR 105
> version do not exist in the Apache API.
Yes, the JSR 105 code path has more extensive logging support.
I suggest you file an RFE to add more logging support.
Thanks,
Sean
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: XML Signature debugging
Posted by Sean Mullan <Se...@Sun.COM>.
Wally Dennis wrote:
>
> Thank you very much for the quick responses.
>
> No - I'm not getting any messages at all from the XML Security code. It
> appears as though the logging statements that exist in the JSR 105
> version do not exist in the Apache API.
Yes, the JSR 105 code path has more extensive logging support.
I suggest you file an RFE to add more logging support.
Thanks,
Sean
Re: XML Signature debugging
Posted by Wally Dennis <Wa...@hewitt.com>.
Thank you very much for the quick responses.
No - I'm not getting any messages at all from the XML Security code. It
appears as though the logging statements that exist in the JSR 105 version
do not exist in the Apache API. Unfortunately, I don't believe I have any
control over which version I am using since this is being called from
Apache WSS4J and Rampart. As I mentioned in my original post, I am using
this in the larger context of Apache Axis2 integrated into my application.
I can certainly add the logging I need to the Apache version, but unless
this logging is also added to the "official" version of the library, then
it will be lost if/when we apply any updates/fixes. It is also
interesting that what logging I do see in the Apache version of the API is
using the commons-logging framework instead the JDK logging.
For your reference, here are the corresponding code snippets from both
versions of the DigesterOutputStream class:
Non-standard:
/** @inheritDoc */
public void write(byte[] arg0, int arg1, int arg2) {
mda.update(arg0, arg1, arg2);
}
JSR 105:
/** @inheritDoc */
public void write(byte[] input, int offset, int len) {
if (buffer) {
bos.write(input, offset, len);
}
if (log.isLoggable(Level.FINER)) {
log.log(Level.FINER, "Pre-digested input:");
StringBuffer sb = new StringBuffer(len);
for (int i=offset; i<(offset+len); i++) {
sb.append((char) input[i]);
}
log.log(Level.FINER, sb.toString());
}
md.update(input, offset, len);
}
Thanks again.
"Sean Mullan" <Se...@Sun.COM>
Sent by: Sean.Mullan@Sun.COM
03/28/2008 03:34 PM
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
Re: XML Signature debugging
Wally Dennis wrote:
>
> Update:
>
> I decided to try to enable the JDK Logging facility to run in parallel
> with Log4j, since in theory there should be no conflicts. However, when
> I follow the instructions contained in the blog postings for how to
> configure the logging, I still do not get any output. When I debug
> through the XML Security code, I am definitely calling the
> org.apache.xml.security.utils.DigesterOutputStream class instead of the
> org.jcp.xml.dsig.internal.DigesterOutputStream class. Am I missing
> something? The log statements are definitely not present in the former
> version of this class - should they be or is there a reason why
> WSS4J/Rampart is using the version without the logging capability?
There are 2 APIs in Apache XML Security: the standard JSR 105 API, and
the non-standard Apache XML Security API. Depending on which one you are
using, some of the code paths are different. For example, if you use JSR
105, the code in org.jcp.xml.dsig.internal will be used whereas it will
not be if you are using the Apache API. It sounds as if you are not
using JSR 105, thus you aren't getting the log messages from the
org.jcp.xml.dsig.internal classes. But you should be seeing some other
messages?
--Sean
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: XML Signature debugging
Posted by Sean Mullan <Se...@Sun.COM>.
Wally Dennis wrote:
>
> Update:
>
> I decided to try to enable the JDK Logging facility to run in parallel
> with Log4j, since in theory there should be no conflicts. However, when
> I follow the instructions contained in the blog postings for how to
> configure the logging, I still do not get any output. When I debug
> through the XML Security code, I am definitely calling the
> org.apache.xml.security.utils.DigesterOutputStream class instead of the
> org.jcp.xml.dsig.internal.DigesterOutputStream class. Am I missing
> something? The log statements are definitely not present in the former
> version of this class - should they be or is there a reason why
> WSS4J/Rampart is using the version without the logging capability?
There are 2 APIs in Apache XML Security: the standard JSR 105 API, and
the non-standard Apache XML Security API. Depending on which one you are
using, some of the code paths are different. For example, if you use JSR
105, the code in org.jcp.xml.dsig.internal will be used whereas it will
not be if you are using the Apache API. It sounds as if you are not
using JSR 105, thus you aren't getting the log messages from the
org.jcp.xml.dsig.internal classes. But you should be seeing some other
messages?
--Sean
Re: XML Signature debugging
Posted by Wally Dennis <Wa...@Hewitt.com>.
Update:
I decided to try to enable the JDK Logging facility to run in parallel
with Log4j, since in theory there should be no conflicts. However, when I
follow the instructions contained in the blog postings for how to
configure the logging, I still do not get any output. When I debug
through the XML Security code, I am definitely calling the
org.apache.xml.security.utils.DigesterOutputStream class instead of the
org.jcp.xml.dsig.internal.DigesterOutputStream class. Am I missing
something? The log statements are definitely not present in the former
version of this class - should they be or is there a reason why
WSS4J/Rampart is using the version without the logging capability?
Thanks.
Wally Dennis/Atlanta/Hewitt Associates@Hewitt Associates NA
Sent by: news <ne...@ger.gmane.org>
03/28/2008 01:06 PM
Please respond to
security-dev@xml.apache.org
To
security-dev@xml.apache.org
cc
Subject
XML Signature debugging
I am trying to enable debug logging on XML Signature creation/validation -
I
have read Sean's blog entries here:
http://weblogs.java.net/blog/mullan/archive/2006/02/more_xml_signat_1.html
http://weblogs.java.net/blog/mullan/archive/2008/03/configuring_the.html#comment
s
and these do describe the type of logging I need, but unless I am missing
something (which is entirely possible), these won't work in my situation.
I am using xml-security in the context of Axis2/Rampart/WSS4J included
inside
my J2EE application running on IBM Websphere 6.0 (JDK 1.4). We are using
log4j
for all of our logging tasks. Based on the information in the blog posts,
I
was able to locate the classes containing the logging statements, but when
I
actually run my code, I never reference these classes. The logging
statements
are in classes (ex: DigesterOutputStream) within the
org.jcp.xml.dsig.internal
package, but my application is using classes in the
org.apache.xml.security.utils package.
Any ideas or assistance you can provide would be most appreciated.
Thanks.
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.