You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by bu...@apache.org on 2013/11/05 13:23:37 UTC

svn commit: r885498 - in /websites/production/santuario/content: cache/main.pageCache faq.html

Author: buildbot
Date: Tue Nov  5 12:23:36 2013
New Revision: 885498

Log:
Production update by buildbot for santuario

Modified:
    websites/production/santuario/content/cache/main.pageCache
    websites/production/santuario/content/faq.html

Modified: websites/production/santuario/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/santuario/content/faq.html
==============================================================================
--- websites/production/santuario/content/faq.html (original)
+++ websites/production/santuario/content/faq.html Tue Nov  5 12:23:36 2013
@@ -190,7 +190,19 @@ Apache Santuario -- faq
 
 <p>This is solved by ExclC14N. ExclC14N takes extra information as input in which you can specify which of the ancestor's namespaces should be included.</p>
 
-<p>For more information on this topic, have a look at the C14N and ExclC14N sections of the <a shape="rect" class="external-link" href="http://www.w3c.org/Signature" rel="nofollow">W3C XMLDSig WG</a>.</p></div>
+<p>For more information on this topic, have a look at the C14N and ExclC14N sections of the <a shape="rect" class="external-link" href="http://www.w3c.org/Signature" rel="nofollow">W3C XMLDSig WG</a>.</p>
+
+<h3><a shape="rect" name="faq-4.SecureValidation"></a>4. Secure Validation</h3>
+
+<p>A new property has been added from the 1.5.0 release to enable "secure validation". This property is false by default. When set to true, it enforces the following processing rules:</p>
+
+<ul><li>Limits the number of Transforms per Reference to a maximum of 5.</li><li>Does not allow XSLT transforms.</li><li>Does not allow a RetrievalMethod to reference another RetrievalMethod.</li><li>Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).</li><li>Limits the number of references per Manifest (SignedInfo) to a maximum of 30.</li><li>MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.</li><li>Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.</li><li><b>1.5.6</b> Does not allow DTDs</li></ul>
+
+
+<p>This functionality is supported in the core library through additional method signatures which take a boolean, and in the JSR-105 API via the property "org.apache.jcp.xml.dsig.secureValidation, e.g.:</p>
+
+<p>XMLValidateContext context = new DOMValidateContext(key, elem);<br clear="none">
+context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE); </p></div>
            </div>
            <!-- Content -->
          </td>