On Thu, 2007-02-08 at 11:41 +0100, Thomas Diesler wrote:
Jason,
relates to:
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012935#4012935
Amberpoint is having an issue where whitespace + comments are not
preserved in jbossws-1.0.0. Their thirdparty security fails because of
this. Isn't it true that for security processing a message needs to be
normalized? I assume that comments should be preserved in a normalized
message, right?
XML Signature performs XML Canonicalization which normalizes and
depending on the type strips comments. Note that the canonicalization
process does not actually alter the SOAP message, it just uses this to
build a byte array that the signature algorithm can be performed on.
We, along with most other WS-Security implementations I have seen,
exclude comments:
SignatureOperation.java:
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
This value is actually declared in the message header. So, if another
party does not exclude comments, and does properly declare it
(#WithComments specified in header), then it should process correctly,
provided that it can see the comments in the SAAJ tree.
If both is true, they might only have an issue with 1.0.0 not preserving
comments.
Yes, if there is a SAAJ bug then security will fail.
-Jason