[jdom-interest] XML Signature

David Wall d.wall at computer.org
Fri Sep 17 08:42:36 PDT 2004


> Mainly for the purpose of learning the Java Security API, I have
> experimented with implementing XML Signature for JDOM. I really do
> not have very much in terms of code at this point, but I have done some
> initial "feasbility" analysis. Producing a limited set of signatures
> is possible, e.g. an enveloped signature with a sigle emtpy reference
> or a detached signature with one or more external reference without
> complicated transforms.

That would be wonderful in my opinion.  The more I can do with JDOM and not
have to resort to DOM for processing XML the better!


> Also, I don't trust Jaxen for the advanced XPath stuff that XML Signature
> is employing, but instead rely on saxon, which can handle JDOM trees.

My understanding is that the XPath with XML DSIG isn't even a true use of
XPath, so you may find that no XPath solution really works for you.  I'm not
sure exactly what this all means, but it seems that the XPath isn't for
traversing the XML, but for applying a test to each node as it's processed.


> So, what is the interest of such a beast? Is it worthwhile to
> continue with this and perhaps produce a working solution?

I think so, but then I wouldn't be able to directly contribute, though I'd
be happy to test.  In my own world, I only need pretty basic enveloped
signatures (for wrapping XML deployment info to ensure that nothing has been
tampered with -- probably doing an XML DSIG over the entire XML doc -- 
starting with the root node), and detached signatures that can point to
several XML elements (some of which are simple elements, and others that are
complex and contain additional nested elements).

The question, though, is do we really need it since there's a JSR for
standard Java APIs for DSIG?  Is there a true benefit for having it work
directly within JDOM?  Can the API be truly simplified to handle 80+% of the
XML DSIG needs?  Or should we just get a DOM from JDOM and pass it into the
standard DSIG APIs?

Thanks,
David



More information about the jdom-interest mailing list