Problems with xml beans and xml security

From: Pantvaidya, Vishwajit
Sent: Thursday, May 11, 2006 12:08 AM
To: 'userxmlbeans.apache.org'
Subject: Problems with xml beans and xml security

I am using an open source kit that embeds apache xml sec java 1.2.1 with xml beans version 1.0.x. The kit uses a different version of xml beans than we do – but the 2 xml beans versions do not seem to be too different. When we try to use it the kit with our xml beans version I get the following exception at the line “XMLSignature sig = new XMLSignature(element, null)̶1;. The moment I switch back to the original xml beans version, the error goes away. I have rebuilt most of the actual xml beans that came with the kit using our xml beans version – but the error persists:

org.apache.xml.security.c14n.InvalidCanonicalizerException: Unknown canonicalizer. No handler installed for URI
at org.apache.xml.security.c14n.Canonicalizer.<init>;(Unknown Source)
at org.apache.xml.security.c14n.Canonicalizer.getInstance(Unknown Source)
at org.apache.xml.security.signature.SignedInfo.<init&gt;(Unknown Source)
at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)

 

I have debugged the code upto the point of the exception and I see that with both xml beans versions, the xml itself does have the canonicalizer uri –; but the Element.getAttributeNS call returns null when our xml beans is used and then we get the exception.

 

In the code, the only link between the usage of xmlbeans and xmlsec seems to be when we construct a DOM from an XMLObject using XMLTokenSource.newDomNode(). Is it possible that something changed in the implementation of this method between the different xmlbean versions that I am trying with? Or is this a known dependency/problem between xml beans and xml sec or has anyone run into this before?

 

Thanks,

 

Vish.

 

 

 

Debugged this further - saw the following difference that seems to be responsible for this issue:

- With my xml beans version - the xmlbeans to dom conversion using xmlobject.newDomNode() results in the node having namespaceuri="&quot;

- With the other xml beans version - the conversion results in the node having namespaceuri=null

So in SignedInfo.getCanonicalizationMethodURI, Element.getAttributeNS(null,&quot;Algorithm") matches the null uri in the latter case and so it works.

I am thinking of changing the line in SignedInfo to Element.getAttributeNS("Algorithm";) i.e. eliminate the null namespaceuri parameter - that works.

 

Does anyone remember there were any initialization changes between xmlbeans versions that could be leading to this issue?

 

 

Thanks,

 

Vish.