When Oracle's xmlparserv2 is used along with Axis WS client and WSS4J, the SOAPEnvelop generated after xmlsecurity processing is faulty. It puts the </#document> tag. I looked thru the xmlsecurity and find out the problem is in method canonicalizeSubTree oforg.apache.xml.security.c14n.implementations.CanonicalizerBase.java. After line #321 it doesnt check if the parentNode type is not Node.DOCUMENT_NODE and it appends in the writer. The check I added: ... after #321 while (sibling==null && parentNode!=null) { if(parentNode.getNodeType() != Node.DOCUMENT_NODE) { writer.write(_END_TAG); UtfHelpper.writeByte(((Element) parentNode).getTagName(),writer,cache); writer.write('>'); } .....
I need a test case for this bug. I am not sure I understand the problem or the fix. If the type of parentNode is Node.DOCUMENT_NODE, then this statement will throw a ClassCastException: UtfHelpper.writeByte(((Element)parentNode).getTagName(),writer,cache);
Created attachment 22545 [details] Test case
Using Apache XML Security and Oracle XML parser (xmlparserv2) to canonicalize a document generates a malformed document (always ends with tag: </#document> ). Works fine using Xerces instead of Oracle XML parser. A simple testcase is attached. Result of testcase is a malformed xml: <NodeRoot><NodeTest></NodeTest></NodeRoot></#document>
Created attachment 23749 [details] A patch for this issue. I debugged through this test-case and have come up with a patch. The reason there's a problem with the Oracle DOM implementation is that the Document implementation seems to also implement the Element interface, and so the line: if (!(parentNode instanceof Element)) { in CanonicalizerBase doesn't get executed, even though "parentNode" is a document node, and hence the extra content "</#document>" gets outputted. The good news is that this can be easily fixed by examining the Node type of parentNode rather than using reflection, i.e.: if (parentNode == null || Node.ELEMENT_NODE != parentNode.getNodeType()) { as the Node in question is a Document node, even if confusingly it's also an instanceof Element. I've confirmed that this fix works fine with the Oracle DOM implementation. The patch also replaces any other call to instanceof Element/Document in XML-Security - we should avoid using reflection when a simple API call will suffice for performance reasons. Colm.
Patch applied. Colm.