Is there any reason why all org.apache.xml.security.** exceptions still use own "originalException" field to indicate a cause instead of a standard JDK mechanism? Since Throwable.getCause() returns null in this case, this complicates exception handling when a root cause needs to be determined.
Interestingly, this was fixed many years ago in r350797 and then rolled back (because a compatibility with JDK 1.3 was required, I guess). However, since the 1.5.0 release requires JDK 1.5, for me it seems logical to make some refactorings to get rid of this relic.