You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "sean.mullan (JIRA)" <ji...@apache.org> on 2015/01/05 18:41:35 UTC

[jira] [Commented] (SANTUARIO-411) configure MessageDigest Provider / add context property key constants

    [ https://issues.apache.org/jira/browse/SANTUARIO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14264807#comment-14264807 ] 

sean.mullan commented on SANTUARIO-411:
---------------------------------------

Andreas,

As far as the code itself, the patch looks fine. However, I would prefer if you used a context property to set the MessageDigest provider. The Santuario XML Security implementation is also used in the JDK. Depending on the JCEMapper class is problematic for a couple of reasons when using the JDK's implementation of the XML Signature API (JSR 105):

- it is in a package that is restricted by default. If your application is running with a Security Manager, it cannot access the JCEMapper class unless a  "accessClassInPackage.{package name}" RuntimePermission is granted or the package.access security property is modified to remove the package.

- With the modularization work planned for JDK 9, these internal APIs will likely not be available by default, regardless if a SecurityManager is enabled or not. See the following requirement for more information: http://openjdk.java.net/projects/jigsaw/goals-reqs/03#limit-the-use-of-jdk-internal-apis 

Also, I think defining a new message digest context property would also be more consistent with the existing signature provider context property.

Thanks,
Sean

> configure MessageDigest Provider / add context property key constants
> ---------------------------------------------------------------------
>
>                 Key: SANTUARIO-411
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-411
>             Project: Santuario
>          Issue Type: Improvement
>      Security Level: Public(Public issues, viewable by everyone) 
>          Components: Java
>    Affects Versions: Java 2.0.2
>            Reporter: Andreas Beeker
>            Assignee: sean.mullan
>            Priority: Minor
>         Attachments: patch-unify-digest-getter-and-context-key-constants.diff
>
>
> This is the patch as discussed on [1].
> Originally I wanted to provide another context property to specify the MessageDigest Provider. So I've checked how the other properties are set and saw that the key strings a scattered through the code. As a user I would prefer to use a constant, maybe having some attached javadoc to it, therefore I've moved the strings to constants in the appropriated classes [2]
> As MessageDigests are used also in other places, I've checked their creation and found the JceMapper class. So the patch centralized the MD creation in MessageDigestAlgorithm and now user code can overwrite the provider over JceMapper.setProviderID.
> Andi.
> [1] http://apache-xml-project.6118.n7.nabble.com/Custom-Security-Provider-for-DOMReference-td41569.html
> [2] http://stackoverflow.com/questions/66066/what-is-the-best-way-to-implement-constants-in-java



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)