Questions about xml-security-1.4.2 and Java 1.6

[dan costelloe <da...@gmail.com>]

Greetings,

I've recently been tinkering with xml-security-1.4.2 and the experience so far
has left me with some questions. Perhaps someone on this list may be able to
shed some light:

1) (Sun) Java 1.6 seems to already contain an xml-security implementation. Which
version of the implementation is this?

2a) Is it possible to use the xml-security-1.4.2 classes in a java application
so that the 1.4.2 classes take a higher preference than those in rt.jar? If so,
can this be done without using the -Xbootclasspath argument to the JVM?

2b) Can it be done without the removal of the xml-security classes from rt.jar?
  

Any information on the above would be much appreciated. Many thanks,


dan

Re: Questions about xml-security-1.4.2 and Java 1.6

[Sean Mullan <Se...@Sun.COM>]

Yes, good suggestion, I'll add something.

--Sean

Raul Benito wrote:
> It seems a nice question & answers for our faq...
> 
> On Tue, Aug 19, 2008 at 6:30 PM, dan costelloe <da...@gmail.com> wrote:
>> Many thanks for your suggestions Sean.
>> I will give them a try.
>>
>> Regards,
>> dan
>>
>>
>>
>>
>>

Re: Questions about xml-security-1.4.2 and Java 1.6

[Raul Benito <ra...@apache.org>]

It seems a nice question & answers for our faq...

On Tue, Aug 19, 2008 at 6:30 PM, dan costelloe <da...@gmail.com> wrote:
>
> Many thanks for your suggestions Sean.
> I will give them a try.
>
> Regards,
> dan
>
>
>
>
>

Re: Questions about xml-security-1.4.2 and Java 1.6

[dan costelloe <da...@gmail.com>]

Many thanks for your suggestions Sean. 
I will give them a try.

Regards,
dan

Re: Questions about xml-security-1.4.2 and Java 1.6

[Sean Mullan <Se...@Sun.COM>]

dan costelloe wrote:
> Thanks for that Sean. You have lead me to a followup (inline):
> 
> Sean Mullan <Sean.Mullan <at> Sun.COM> writes:
> 
>> dan costelloe wrote:
>>> [snip]
>>> 2a) Is it possible to use the xml-security-1.4.2 classes in a java
>>> application so that the 1.4.2 classes take a higher preference than 
>>> those in rt.jar? If so, can this be done without using 
>>> the -Xbootclasspath argument to the JVM?
>> Yes, place xmlsec.jar in the endorsed standards directory [1]. You will 
>> also need to put the Apache commons logging jar [2] there as well, since 
>> the Apache code uses a different logging mechanism than the JDK.
>>
> 
> I suppose my question should have included 2c: 
> 
> Can it be done *without* using the endorsed standards directory? 
> 
> (I would like to be able to use an unmodified JRE with xmlsec 1.4.2, 
> if possible)

Well you can set the java.endorsed.dirs property to another directory if 
that helps.

Are you ok with modifying the xmlsec classes? If so, you could rename 
all of the org.jcp classes (to something like org.apache.jcp ...) and 
then instantiate your XMLSignatureFactory as:

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", new 
org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI());

which should use the xmlsec 1.4.2 classes for everything except the 
javax.xml.crypto classes, which shouldn't really be necessary to override.

--Sean

Re: Questions about xml-security-1.4.2 and Java 1.6

[dan costelloe <da...@gmail.com>]

Thanks for that Sean. You have lead me to a followup (inline):

Sean Mullan <Sean.Mullan <at> Sun.COM> writes:

> 
> dan costelloe wrote:
> > [snip]
> > 2a) Is it possible to use the xml-security-1.4.2 classes in a java
> > application so that the 1.4.2 classes take a higher preference than 
> > those in rt.jar? If so, can this be done without using 
> > the -Xbootclasspath argument to the JVM?
> 
> Yes, place xmlsec.jar in the endorsed standards directory [1]. You will 
> also need to put the Apache commons logging jar [2] there as well, since 
> the Apache code uses a different logging mechanism than the JDK.
> 

I suppose my question should have included 2c: 

Can it be done *without* using the endorsed standards directory? 

(I would like to be able to use an unmodified JRE with xmlsec 1.4.2, 
if possible)

> > [snip]
> 
> --Sean
> 
> 1: http://java.sun.com/javase/6/docs/technotes/guides/standards/index.html
> 2: http://commons.apache.org/logging/
> 
> 

Regards,
dan

Re: Questions about xml-security-1.4.2 and Java 1.6

["Peter B. West" <li...@pbw.id.au>]

Sean, you mention that JDK6 include 1.3.1 + bug fixes. Where can I get hold
of the source as included in 1.6?

Peter
 

sean.mullan wrote:
> 
> dan costelloe wrote:
>> Greetings,
>> 
>> I've recently been tinkering with xml-security-1.4.2 and the experience
>> so far
>> has left me with some questions. Perhaps someone on this list may be able
>> to
>> shed some light:
>> 
>> 1) (Sun) Java 1.6 seems to already contain an xml-security
>> implementation. Which
>> version of the implementation is this?
> 
> Yes, v 1.3.1 (plus a few important bug fixes).
> 
>> 2a) Is it possible to use the xml-security-1.4.2 classes in a java
>> application
>> so that the 1.4.2 classes take a higher preference than those in rt.jar?
>> If so,
>> can this be done without using the -Xbootclasspath argument to the JVM?
> 
> Yes, place xmlsec.jar in the endorsed standards directory [1]. You will 
> also need to put the Apache commons logging jar [2] there as well, since 
> the Apache code uses a different logging mechanism than the JDK.
> 
>> 2b) Can it be done without the removal of the xml-security classes from
>> rt.jar?
> 
> Yes, see above.
> 
> --Sean
> 
> 1: http://java.sun.com/javase/6/docs/technotes/guides/standards/index.html
> 2: http://commons.apache.org/logging/
> 
> 

-- 
View this message in context: http://www.nabble.com/Questions-about-xml-security-1.4.2-and-Java-1.6-tp19051625p19753497.html
Sent from the Apache XML - Security - Dev mailing list archive at Nabble.com.

Re: Questions about xml-security-1.4.2 and Java 1.6

[Sean Mullan <Se...@Sun.COM>]

dan costelloe wrote:
> Greetings,
> 
> I've recently been tinkering with xml-security-1.4.2 and the experience so far
> has left me with some questions. Perhaps someone on this list may be able to
> shed some light:
> 
> 1) (Sun) Java 1.6 seems to already contain an xml-security implementation. Which
> version of the implementation is this?

Yes, v 1.3.1 (plus a few important bug fixes).

> 2a) Is it possible to use the xml-security-1.4.2 classes in a java application
> so that the 1.4.2 classes take a higher preference than those in rt.jar? If so,
> can this be done without using the -Xbootclasspath argument to the JVM?

Yes, place xmlsec.jar in the endorsed standards directory [1]. You will 
also need to put the Apache commons logging jar [2] there as well, since 
the Apache code uses a different logging mechanism than the JDK.

> 2b) Can it be done without the removal of the xml-security classes from rt.jar?

Yes, see above.

--Sean

1: http://java.sun.com/javase/6/docs/technotes/guides/standards/index.html
2: http://commons.apache.org/logging/