Internet connection while verifying local content?

[Michael Bishop <bi...@gmail.com>]

Can someone shed some light as to why I can't successfully perform certain
functions without an Internet connection?  I'm doing two kinds of
validation.  The first is schema validation.  I use the Digital Signatures
XML Schema that's in the Santuario JAR.  The other is certificate validation
where I validate the certificate against the signed contents.  If the schema
is local, the certificate is local, and the content is local, what is trying
to connect to the Internet and causing a failure?

I can provide more detail (and may have to resort to running up something
like WireShark), but I figured I'd ask here first to see if anyone knew what
to check right off the bat.

Thanks,

Michael

Re: Internet connection while verifying local content?

[Michael Bishop <bi...@gmail.com>]

Excellent idea.  I went with the hosts option.  For those interested, I
found that while I was using the digital signature schema locally, it was
reaching out to the XMLSchema.dtd and datatypes.dtd online.  I made local
copies of those and created a custom EntityResolver.  Everything works fine.

On Mon, Apr 4, 2011 at 11:32 AM, Cantor, Scott E. <ca...@osu.edu> wrote:

> On 4/4/11 11:26 AM, "Michael Bishop" <bi...@gmail.com> wrote:
> >That sounds reasonable.  The only schema validation I'm doing is the
> >digital signature against the digital signature schema.  I'm using the
> >internal one (org.apache.xml.security.resource.schema) and that one
> >doesn't appear to link to other entities.  I assume I should still take
> >over entity resolution nonetheless?  Maybe it's still trying to generate
> >a call to the schema on the web?
>
> Easy enough to find out, you can set an /etc/hosts entry for the relevant
> host. (Or use Wireshark of course.)
>
> -- Scott
>
>

Re: Internet connection while verifying local content?

["Cantor, Scott E." <ca...@osu.edu>]

On 4/4/11 11:26 AM, "Michael Bishop" <bi...@gmail.com> wrote:
>That sounds reasonable.  The only schema validation I'm doing is the
>digital signature against the digital signature schema.  I'm using the
>internal one (org.apache.xml.security.resource.schema) and that one
>doesn't appear to link to other entities.  I assume I should still take
>over entity resolution nonetheless?  Maybe it's still trying to generate
>a call to the schema on the web?

Easy enough to find out, you can set an /etc/hosts entry for the relevant
host. (Or use Wireshark of course.)

-- Scott

Re: Internet connection while verifying local content?

[Michael Bishop <bi...@gmail.com>]

That sounds reasonable.  The only schema validation I'm doing is the digital
signature against the digital signature schema.  I'm using the internal one
(org.apache.xml.security.resource.schema) and that one doesn't appear to
link to other entities.  I assume I should still take over entity resolution
nonetheless?  Maybe it's still trying to generate a call to the schema on
the web?

Michael

On Mon, Apr 4, 2011 at 11:21 AM, Cantor, Scott E. <ca...@osu.edu> wrote:

> On 4/4/11 11:18 AM, "Michael Bishop" <bi...@gmail.com> wrote:
> >Can someone shed some light as to why I can't successfully perform
> >certain functions without an Internet connection?  I'm doing two kinds of
> >validation.  The first is schema validation.
>
> Unless you override all entity resolution and/or use various non-normative
> (and somewhat insecure) hints for schema lookup, you'll often get remote
> schema fetches. XML Schema resolution is among the more broken parts of
> the XSD spec.
>
> -- Scott
>
>

Re: Internet connection while verifying local content?

["Cantor, Scott E." <ca...@osu.edu>]

On 4/4/11 11:18 AM, "Michael Bishop" <bi...@gmail.com> wrote:
>Can someone shed some light as to why I can't successfully perform
>certain functions without an Internet connection?  I'm doing two kinds of
>validation.  The first is schema validation.

Unless you override all entity resolution and/or use various non-normative
(and somewhat insecure) hints for schema lookup, you'll often get remote
schema fetches. XML Schema resolution is among the more broken parts of
the XSD spec.

-- Scott