Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
In the current version of the XMLSEC library, there are two distinct configuration classes:
- Generic Configuration (Class: org.apache.xml.security.Init):
- This class provides a set of default values, which are hardcoded.
- XML example (by default not used) is in file on location org/apache/xml/security/resource/config.xml
- Users have the option to override these defaults by specifying a classpath resource defined in system property
org.apache.xml.security.resource.config to define xml resource location - the file must be in classpath at init time and it can not be overridden after the Init class is initialized
- STAX Configuration (Class: org.apache.xml.security.stax.config.Init):
- The STAX configuration class utilizes an XML resource named /security-config.xml.
- The Initialization is triggered by static block in XMLSec.java class
- However, it is possible to reinitialize the settings by invoking org.apache.xml.security.stax.config.Init.init with a new resource.
Common structure of both XMLs
- /Configuration/TransformAlgorithms/TransformAlgorithm: (mapping URI to implementation class)
- /Configuration/JCEAlgorithmMappings/Algorithms/Algorithm: (Supported Algorithm definition and URI to JCE mapping)
- /Configuration/ResourceResolvers/Resolver: (mapping URI to implementation class)
Differences Between Generic-Init and STAX-Init Configurations:
- XML Namespace Expectations:
- The generic configuration expects the namespace: *http://www.xmlsecurity.org/NS/#configuration.* (Note the #)
- The STAX configuration, on the other hand, expects the namespace http://www.xmlsecurity.org/NS/configuration].
- Language Definition in XML:
- For the generic configuration, the scheme expects an element with the following attributes:
<ResourceBundles defaultLanguageCode="en" defaultCountryCode="US" /
-
- In contrast, the STAX configuration relies on XML properties:
<Property NAME="DefaultLanguageCode" VAL="en" /> <Property NAME="DefaultCountryCode" VAL="US" />
- The generic XML has additional elements (See the: org/apache/xml/security/resource/config.xml)
- /Configuration/CanonicalizationMethods/CanonicalizationMethod (mapping URI to implementaton class)
- /Configuration/SignatureAlgorithms/SignatureAlgorithm (mapping URI to implementation class)
- /Configuration/KeyResolver/Resolver (mapping URI to implementation class)
- /Configuration/PrefixMappings/PrefixMapping (XML default namespace prefix, and URI mapping )
- The Stax configuration has additional configiration elements
- Configuration/Properties/Property: for definig custom properties such as max transform count, max reference count etc..
- Configuration/SecurityHeaderHandlers/HandlerType Not used in code
- Parsing of the Init XML Configuration:
-
- The generic configuration (Generic-Init) uses the DOM (Document Object Model) with a custom implementation for element and attribute detection.
- The STAX configuration (Stax-Init) employs JAXB (Java Architecture for XML Binding) with a well-defined schema provided as a resource (/scheme/security-config.xsd).
The task aims to enhance transparency and clarity in configuration synchronization.
The scope of the task is to debate and define XMLSEC configuration more precisely, identify the configuration in use, outline a scheme for custom configuration, and explain how users can update the default settings. And add list of outdated algorithms.
Suggestion to implement.
- Define only one Init/Configuration class having best options from both approaches:
The class will be this: org.apache.xml.security.Init{} - The configuration is based XML and provided scheme (from STAX) where we can add missing elements
- Scheme can be used to validate the XML before parsing .
- For de-serializing properties with DOM approach from generic Init class).
- For setting custom properties users will have the option to override the defaults by specifying a class path resource or file which can be defined with system property
org.apache.xml.security.resource.config - Implement unitest that all current hardcoded/default configuration are also provided in XML configuration format.