camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Franz Forsthofer (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache Camel > XML Security component
Date Wed, 09 Oct 2013 08:22:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/de/2176/1/1/_/styles/combined.css?spaceKey=CAMEL&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CAMEL/XML+Security+component">XML
Security component</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~forsthofer">Franz
Forsthofer</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| transformMethods | List&lt;javax.xml.crypto.AlgorithmMethod&gt;
| see description | Transforms which are executed on the message body before the digest is
calculated. By default, C14n is added and in the case of enveloped signature (see option {{parentLocalName}})
also [http://www.w3.org/2000/09/xmldsig#enveloped-signature] is added at position 0 of the
list. Use methods in [XmlSignatureHelper|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java]
to create the transform methods. | <br>| prefixForXmlSignatureNamespace | String | {{ds}}
| Prefix for the XML signature namespace. If {{null}} is specified or an empty string then
no prefix is used for the signature namespace. | <br></td></tr>
            <tr><td class="diff-changed-lines" >| contentReferenceUri | String
| see description | The URI of the reference to the signed content (in-message body). If {{null}}
and we are in the enveloped XML signature case then the URI is set to &quot;&quot;.
If {{null}} and we are in the enveloping XML signature case then the URI is set to &quot;generated_object_id&quot;
which means that the reference points to the Object element containing the in-message body.
You can use this option to reference a specific part in your in-message body if you do not
want to sign the complete in-message body. This value can be overwritten by the header &quot;CamelXmlSignatureContentReferenceUri&quot;.
<span class="diff-added-words"style="background-color: #dfd;">Please be aware, if you
want to use a value of an XML ID attribute (example: &quot;#ID_value&quot;), then
you must provide the information about the ID attribute via a doctype definition contained
in the input XML document.</span> | <br></td></tr>
            <tr><td class="diff-unchanged" >| contentReferenceType | String |
null | Value of the type attribute of the content reference. This value can be overwritten
by the header &quot;CamelXmlSignatureContentReferenceType&quot; | <br>| plainText
| Boolean | Boolean.FALSE | Indicator whether the in-message body contains plain text. Normally,
the signature generator treats the incoming message body as XML. If the message body is plain
text, then you must set this option to {{true}}. The value can be overwritten by the header
&quot;CamelXmlSignatureMessageIsPlainText&quot;. | <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="XMLSecuritycomponent-XMLSecuritycomponent"></a>XML
Security component</h2>

<p><b>Available as of Camel 2.12.0</b></p>

<p>With this Apache Camel component, you can generate and validate XML signatures as
described in the W3C standard <a href="http://www.w3.org/TR/xmldsig-core/" class="external-link"
rel="nofollow">XML Signature Syntax and Processing</a> or as described in the successor
<a href="http://www.w3.org/TR/xmldsig-core1/" class="external-link" rel="nofollow">version
1.1</a>. For XML Encryption support, please refer to the XML Security <a href="/confluence/display/CAMEL/Data+Format"
title="Data Format">Data Format</a>.</p>

<p>You can find an introduction to XML signature <a href="http://www.oracle.com/technetwork/articles/javase/dig-signatures-141823.html"
class="external-link" rel="nofollow">here</a>. The implementation of the component
is based on <a href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/overview.html"
class="external-link" rel="nofollow">JSR 105</a>, the Java API corresponding to the
W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation
will first try to use the Apache Santuario provider; if it does not find the Santuario provider,
it will use the JDK provider. Further, the implementation is DOM based.</p>

<p>Maven users will need to add the following dependency to their <tt>pom.xml</tt>
for this component:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;dependency&gt;
    &lt;groupId&gt;org.apache.camel&lt;/groupId&gt;
    &lt;artifactId&gt;camel-xmlsecurity&lt;/artifactId&gt;
    &lt;version&gt;x.x.x&lt;/version&gt;
    &lt;!-- use the same version as your Camel core version --&gt;
&lt;/dependency&gt;
</pre>
</div></div>

<h3><a name="XMLSecuritycomponent-XMLSignaturewrappingmodes"></a>XML Signature
wrapping modes</h3>

<p>XML Signature differs between enveloped, enveloping, and detached XML signature.
In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document;
which means that the XML signature element is a child element of a parent element, which belongs
to the signed XML Document. In the enveloping XML signature case, the XML Signature contains
the signed content. All other cases are called detached XML signatures. Detached XML signatures
are not supported in the current implementation.</p>

<p>In the <b>enveloped XML signature</b> case, the supported generated XML
signature has the following structure (Variables are surrounded by []).</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;[parent element]&gt;
       ... &lt;!-- Signature element is added as last child of the parent element--&gt;
       &lt;Signature Id="generated_unique_signature_id"&gt;
           &lt;SignedInfo&gt;
                 &lt;Reference URI=""&gt;
                       &lt;Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/&gt;
                       (&lt;Transform&gt;)* &lt;!-- By default "http://www.w3.org/2006/12/xml-c14n11"
is added to the transforms --&gt;
                       &lt;DigestMethod&gt;
                       &lt;DigestValue&gt;
                 &lt;/Reference&gt;
                 (&lt;Reference URI="#[keyinfo_Id]"&gt;
                       &lt;Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/&gt;
                       &lt;DigestMethod&gt;
                       &lt;DigestValue&gt;
                 &lt;/Reference&gt;)?
                 &lt;!-- further references possible, see option 'properties' below --&gt;
          &lt;/SignedInfo&gt;
          &lt;SignatureValue&gt;
          (&lt;KeyInfo Id="[keyinfo_id]"&gt;)?
          &lt;!-- Object elements possible, see option 'properties' below --&gt;
      &lt;/Signature&gt;
    &lt;/[parent element]&gt;
</pre>
</div></div>

<p>In the <b>enveloping XML signature</b> case, the supported generated
XML signature has the structure:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;Signature Id="generated_unique_signature_id"&gt;
      &lt;SignedInfo&gt;
             &lt;Reference URI="#generated_unique_object_id" type="[optional_type_value]"&gt;
&lt;!-- the URI can also be set by the option 'contentReferenceUri'; see below. --&gt;
                   (&lt;Transform&gt;)* &lt;!-- By default "http://www.w3.org/2006/12/xml-c14n11"
is added to the transforms --&gt;
                   &lt;DigestMethod&gt;
                   &lt;DigestValue&gt;
             &lt;/Reference&gt;
             (&lt;Reference URI="#[keyinfo_id]"&gt;
                   &lt;Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/&gt;
                   &lt;DigestMethod&gt;
                   &lt;DigestValue&gt;
             &lt;/Reference&gt;)?
              &lt;!-- further references possible, see option 'properties' below  --&gt;
      &lt;/SignedInfo&gt;
      &lt;SignatureValue&gt;
      (&lt;KeyInfo Id="[keyinfo_id]"&gt;)?
      &lt;Object Id="generated_unique_object_id"/&gt; &lt;!-- The Object element
contains the in-message body --&gt;
      &lt;!-- Further Object elements possible, see option 'properties' below --&gt;
    &lt;/Signature&gt;
</pre>
</div></div>

<h3><a name="XMLSecuritycomponent-URIformat"></a>URI format</h3>

<p>The camel component consists of two endpoints which have the following URI format.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    xmlsecurity:sign:name[?options]
    xmlsecurity:verify:name[?options]
</pre>
</div></div>

<ul>
	<li>With the signer endpoint, you can generate a XML signature for the body of the
in-message which can be either a XML document or a plain text. The enveloped or enveloping
XML signature will be set to the body of the out-message.</li>
	<li>With the verifier endpoint, you can validate an enveloped or enveloping XML signature
contained in the body of the in-message; if the validation is successful, then the original
content is extracted from the XML signature and set to the body of the out-message.</li>
	<li>The <tt>name</tt> part in the URI can be chosen by the user to distinguish
between different signer/verifier endpoints within one camel context.</li>
</ul>


<h3><a name="XMLSecuritycomponent-BasicExample"></a>Basic Example</h3>

<p>The following example shows the basic usage of the component.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    from("direct:enveloping").to("xmlsecurity:sign://enveloping?keyAccessor=#accessor",
                                 "xmlsecurity:verify://enveloping?keySelector=#selector","mock:result")
</pre>
</div></div>

<p>In Spring XML:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;from uri="direct:enveloping" /&gt;
      &lt;to uri="xmlsecurity:sign://enveloping?keyAccessor=#accessor" /&gt;
      &lt;to uri="xmlsecurity:verify://enveloping?keySelector=#selector" /&gt;
    &lt;to uri="mock:result" /&gt;
</pre>
</div></div>

<p>For the signing process, a private key is necessary. You specify a key accessor bean
which provides this private key. For the validation, the corresponding public key is necessary;
you specify a key selector bean which provides this public key.</p>

<p>The key accessor bean must implement the <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java"
class="external-link" rel="nofollow">KeyAccessor</a> interface. The package <tt>org.apache.camel.component.xmlsecurity.api</tt>
contains the default implementation class <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java"
class="external-link" rel="nofollow">DefaultKeyAccessor</a> which reads the private
key from a Java keystore.</p>

<p>The key selector bean must implement the <a href="http://docs.oracle.com/javase/6/docs/api/javax/xml/crypto/KeySelector.html"
class="external-link" rel="nofollow">javax.xml.crypto.KeySelector</a> interface.
The package <tt>org.apache.camel.component.xmlsecurity.api</tt> contains the default
implementation class <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java"
class="external-link" rel="nofollow">DefaultKeySelector</a> which reads the public
key from a keystore.</p>

<p>In the example, the default signature algorithm <tt><a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
class="external-link" rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a></tt>
is used. You can set the signature algorithm of your choice by the option <tt>signatureAlgorithm</tt>
(see below). The signer endpoint creates an <b>enveloping</b> XML signature. If
you want to create an <b>enveloped</b> XML signature then you must specify the
parent element of the Signature element; see option <tt>parentLocalName</tt> for
more details.</p>

<h3><a name="XMLSecuritycomponent-CommonSigningandVerifyingOptions"></a>Common
Signing and Verifying Options</h3>

<p>There are options which can be used for both endpoints, signer and verifier.</p>

<div class="confluenceTableSmall"></div>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Name </th>
<th class='confluenceTh'> Type </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> uriDereferencer </td>
<td class='confluenceTd'> <a href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/URIDereferencer.html"
class="external-link" rel="nofollow">javax.xml.crypto.URIDereferencer</a> </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> URI dereferencer. You can specify here your own URI dereferencer,
if you want to restrict the dereferencing or have special requirements for dereferencing.
</td>
</tr>
<tr>
<td class='confluenceTd'> baseUri </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Base URI used in the URI dereferencer. Relative URIs are concatenated
with the base URI. </td>
</tr>
<tr>
<td class='confluenceTd'> cryptoContextProperties </td>
<td class='confluenceTd'> Map&lt;String, ? extends Object&gt; </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Crypto context properties. See <tt>javax.xml.crypto.XMLCryptoContext.setProperty(String,
Object)</tt>. The properties can depend on the provider. For example, the JDK provider
"XMLDSig" has the property "org.jcp.xml.dsig.validateManifests" for enabling manifest validation.
The following properties are set by default to the value <tt>Boolean.TRUE</tt>
for the XML verifier: "org.jcp.xml.dsig.validateManifests", "javax.xml.crypto.dsig.cacheReference".
If the option <tt>secureValidation} is {{true</tt> then additionally the properties
"org.apache.jcp.xml.dsig.secureValidation" and "org.jcp.xml.dsig.secureValidation" are set
to <tt>Boolean.TRUE</tt> for the XML verifier. If you want to switch these features
off you must set the property values to <tt>Boolean.FALSE</tt>.  </td>
</tr>
<tr>
<td class='confluenceTd'> disallowDoctypeDecl </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.TRUE </td>
<td class='confluenceTd'> Indicator whether DTD DOCTYPE declarations shall be disallowed
in the incoming XML message. </td>
</tr>
<tr>
<td class='confluenceTd'> omitXmlDeclaration </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.FALSE </td>
<td class='confluenceTd'> Indicator whether the XML declaration header shall be omitted
in the output XML message. </td>
</tr>
<tr>
<td class='confluenceTd'> clearHeaders </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.TRUE </td>
<td class='confluenceTd'> Indicator whether the XML signature message headers defined
in <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureConstants.java"
class="external-link" rel="nofollow">XmlSignatureConstants</a> shall be deleted at
the end of the signer or verifier processing. </td>
</tr>
</tbody></table>
</div>


<h3><a name="XMLSecuritycomponent-SigningOptions"></a>Signing Options</h3>

<p>The signer endpoint has the following options.</p>

<div class="confluenceTableSmall"></div>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Name </th>
<th class='confluenceTh'> Type </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> keyAccessor </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java"
class="external-link" rel="nofollow">KeyAccessor</a> </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Provides the signing key and the KeyInfo instance. There is
an example implementation which uses a keystore, see <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java"
class="external-link" rel="nofollow">DefaultKeyAccessor</a> </td>
</tr>
<tr>
<td class='confluenceTd'> addKeyInfoReference </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.TRUE </td>
<td class='confluenceTd'> Indicator whether a Reference element refering the KeyInfo
element provided by the key accessor should be added to the XML signature. </td>
</tr>
<tr>
<td class='confluenceTd'> signatureAlgorithm </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> <a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" class="external-link"
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a> </td>
<td class='confluenceTd'> signature algorithm consisting of a digest and encryption
algorithm. The digest algorithm is used to calculate the digest of the SignedInfo element
and the encryption algorithm is used to sign this digest. Possible values: <a href="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
class="external-link" rel="nofollow">http://www.w3.org/2000/09/xmldsig#dsa-sha1</a>,
<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" class="external-link" rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>,
<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class="external-link" rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a>,
<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" class="external-link" rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384</a>,
<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" class="external-link" rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha512</a>
</td>
</tr>
<tr>
<td class='confluenceTd'> digestAlgorithm </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> see description </td>
<td class='confluenceTd'> Digest algorithm for calculating the digest of the in-message
body. If not specified then the digest algorithm of the signature algorithm is used. Possible
values: <a href="http://www.w3.org/2000/09/xmldsig#sha1" class="external-link" rel="nofollow">http://www.w3.org/2000/09/xmldsig#sha1</a>,
<a href="http://www.w3.org/2001/04/xmlenc#sha256" class="external-link" rel="nofollow">http://www.w3.org/2001/04/xmlenc#sha256</a>,
<a href="http://www.w3.org/2001/04/xmldsig-more#sha384" class="external-link" rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#sha384</a>,
<a href="http://www.w3.org/2001/04/xmlenc#sha512" class="external-link" rel="nofollow">http://www.w3.org/2001/04/xmlenc#sha512</a>
</td>
</tr>
<tr>
<td class='confluenceTd'> parentLocalName </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Local name of the parent of the Signature element.  The Signature
element will be added at the end of the children of the parent. Necessary for enveloped XML
signature. If this option is null, then an enveloping XML signature is created. See also option
<tt>parentNamespace</tt>. </td>
</tr>
<tr>
<td class='confluenceTd'> parentNamespace </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Namespace of the parent of the Signature element. See option
<tt>parentLocalName</tt> </td>
</tr>
<tr>
<td class='confluenceTd'> canonicalizationMethod </td>
<td class='confluenceTd'> <a href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/AlgorithmMethod.html"
class="external-link" rel="nofollow">javax.xml.crypto.AlgorithmMethod</a> </td>
<td class='confluenceTd'> C14n </td>
<td class='confluenceTd'> Canonicalization method used to canonicalize the SignedInfo
element before the digest is calculated. You can use the helper methods <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java"
class="external-link" rel="nofollow">XmlSignatureHelper</a>.getCanonicalizationMethod(String
algorithm) or getCanonicalizationMethod(String algorithm, List&lt;String&gt; inclusiveNamespacePrefixes)
to create a canonicalization method. </td>
</tr>
<tr>
<td class='confluenceTd'> transformMethods </td>
<td class='confluenceTd'> List&lt;javax.xml.crypto.AlgorithmMethod&gt; </td>
<td class='confluenceTd'> see description </td>
<td class='confluenceTd'> Transforms which are executed on the message body before the
digest is calculated. By default, C14n is added and in the case of enveloped signature (see
option <tt>parentLocalName</tt>) also <a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
class="external-link" rel="nofollow">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>
is added at position 0 of the list. Use methods in <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java"
class="external-link" rel="nofollow">XmlSignatureHelper</a> to create the transform
methods. </td>
</tr>
<tr>
<td class='confluenceTd'> prefixForXmlSignatureNamespace </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> <tt>ds</tt> </td>
<td class='confluenceTd'> Prefix for the XML signature namespace. If <tt>null</tt>
is specified or an empty string then no prefix is used for the signature namespace. </td>
</tr>
<tr>
<td class='confluenceTd'> contentReferenceUri </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> see description </td>
<td class='confluenceTd'> The URI of the reference to the signed content (in-message
body). If <tt>null</tt> and we are in the enveloped XML signature case then the
URI is set to "". If <tt>null</tt> and we are in the enveloping XML signature
case then the URI is set to "generated_object_id" which means that the reference points to
the Object element containing the in-message body. You can use this option to reference a
specific part in your in-message body if you do not want to sign the complete in-message body.
This value can be overwritten by the header "CamelXmlSignatureContentReferenceUri". Please
be aware, if you want to use a value of an XML ID attribute (example: "#ID_value"), then you
must provide the information about the ID attribute via a doctype definition contained in
the input XML document. </td>
</tr>
<tr>
<td class='confluenceTd'> contentReferenceType </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Value of the type attribute of the content reference. This
value can be overwritten by the header "CamelXmlSignatureContentReferenceType" </td>
</tr>
<tr>
<td class='confluenceTd'> plainText </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.FALSE </td>
<td class='confluenceTd'> Indicator whether the in-message body contains plain text.
Normally, the signature generator treats the incoming message body as XML. If the message
body is plain text, then you must set this option to <tt>true</tt>. The value
can be overwritten by the header "CamelXmlSignatureMessageIsPlainText". </td>
</tr>
<tr>
<td class='confluenceTd'> plainTextEncoding </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Only used when the option <tt>plainText</tt> is
set to <tt>true</tt>. Then you can specify the encoding of the plain text. If
<tt>null</tt> then UTF-8 is used. The value can be overwritten by the header "CamelXmlSignatureMessageIsPlainTextEncoding".
</td>
</tr>
<tr>
<td class='confluenceTd'> properties </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java"
class="external-link" rel="nofollow">XmlSignatureProperties</a> </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> For adding additional References and Objects to the XML signature
which contain additional properties, you can provide a bean which implements the <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java"
class="external-link" rel="nofollow">XmlSignatureProperties</a> interface. </td>
</tr>
<tr>
<td class='confluenceTd'>contentObjectId</td>
<td class='confluenceTd'>String</td>
<td class='confluenceTd'>null</td>
<td class='confluenceTd'>Value of the Id attribute of the Object element. Only used
in the enveloped XML signature case. If <tt>null</tt> then a unique value is generated.
Available as of <b>2.12.2</b></td>
</tr>
</tbody></table>
</div>



<h3><a name="XMLSecuritycomponent-VerifyingOptions"></a>Verifying Options</h3>

<p>The verifier endpoint has the following options.</p>

<div class="confluenceTableSmall"></div>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Name </th>
<th class='confluenceTh'> Type </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> keySelector </td>
<td class='confluenceTd'> <a href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/KeySelector.html"
class="external-link" rel="nofollow">javax.xml.crypto.KeySelector</a> </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Provides the key for validating the XML signature. There is
an example implementation which uses a keystore, see <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java"
class="external-link" rel="nofollow">DefaultKeySelector</a>. </td>
</tr>
<tr>
<td class='confluenceTd'> xmlSignatureChecker </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureChecker.java"
class="external-link" rel="nofollow">XmlSignatureChecker</a> </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> This interface allows the application to check the XML signature
before the validation is executed. This step is recommended in <a href="http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed"
class="external-link" rel="nofollow">http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed</a>
</td>
</tr>
<tr>
<td class='confluenceTd'> validationFailedHandler </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/ValidationFailedHandler.java"
class="external-link" rel="nofollow">ValidationFailedHandler</a> </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultValidationFailedHandler.java"
class="external-link" rel="nofollow">DefaultValidationFailedHandler</a> </td>
<td class='confluenceTd'> Handles the different validation failed situations. The default
implementation throws specific exceptions for the different situations (All exceptions have
the package name <tt>org.apache.camel.component.xmlsecurity.api</tt> and are a
sub-class of <tt>XmlSignatureInvalidException</tt>. If the signature value validation
fails, a <tt>XmlSignatureInvalidValueException</tt> is thrown. If a reference
validation fails, a <tt>XmlSignatureInvalidContentHashException</tt> is thrown.
For more detailed information, see the JavaDoc. </td>
</tr>
<tr>
<td class='confluenceTd'> xmlSignature2Message </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java"
class="external-link" rel="nofollow">XmlSignature2Message</a> </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultXmlSignature2Message.java"
class="external-link" rel="nofollow">DefaultXmlSignature2Message</a> </td>
<td class='confluenceTd'> Bean which maps the XML signature to the ouput-message after
the validation. How this mapping should be done can be configured by the options <tt>outputNodeSearchType</tt>,
<tt>outputNodeSearch</tt>, and <tt>removeSignatureElements</tt>. The
default implementation offers three possibilities which are related to the three output node
search types "Default", "ElementName", and "XPath". The default implementation determines
a node which is then serialized and set to the body of the ouput message. If the search type
is "ElementName" then the ouput node (which must be in this case an element) is determined
by the local name and namespace defined in the search value (see option <tt>outputNodeSearch</tt>).
If the search type is "XPath" then the output node is determined by the XPath specified in
the search value (in this case the ouput node can be of type "Element", "TextNode" or "Document").
If the output node search type is "Default" then the following rules apply: In the enveloped
XML signature case (there is a reference with URI="" and transform "http://www.w3.org/2000/09/xmldsig#enveloped-signature"),
the incoming XML document without the Signature element is set to the output message body.
In the non-enveloped XML signature case, the message body is determined from a referenced
Object; this is explained in more detail in chapter "Output Node Determination in Enveloping
XML Signature Case". </td>
</tr>
<tr>
<td class='confluenceTd'> outputNodeSearchType </td>
<td class='confluenceTd'> String </td>
<td class='confluenceTd'> "Default" </td>
<td class='confluenceTd'> Determines the type of the search of the output node. See
option <tt>xmlSignature2Message</tt>. The default implementation <tt>DefaultXmlSignature2Message</tt>
supports the three search types "Default", "ElementName", and "XPath". </td>
</tr>
<tr>
<td class='confluenceTd'> outputNodeSearch </td>
<td class='confluenceTd'> Object </td>
<td class='confluenceTd'> null </td>
<td class='confluenceTd'> Search value of the output node search. The type depends on
the search type. For the default search implementation <tt>DefaultXmlSignature2Message</tt>
the following values can be supplied. If the search type is "Default", then the search value
is not used. If the search type is "ElementName", then the search value contains the namespace
and local name of the output element. The namespace must be embraced in brackets. If the search
type is "XPath", the search value contains an instance of <tt>javax.xml.crypto.dsig.spec.XPathFilterParameterSpec</tt>
which represents an XPath. You can create such an instance via the method <tt><a
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java"
class="external-link" rel="nofollow">XmlSignatureHelper</a></tt><tt>.getXpathFilter(String
xpath, Map&lt;String, String&gt; namespaceMap)</tt>. The XPath determines the
output node which can be of type Element, TextNode, or Document. </td>
</tr>
<tr>
<td class='confluenceTd'> removeSignatureElements </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.FALSE </td>
<td class='confluenceTd'> Indicator for removing Signature elements in the output message
in the enveloped XML signature case. Used in the <tt>XmlSignature2Message</tt>
instance. The default implementation does use this indicator for the two search types "ElementName"
and "XPath". </td>
</tr>
<tr>
<td class='confluenceTd'> secureValidation </td>
<td class='confluenceTd'> Boolean </td>
<td class='confluenceTd'> Boolean.TRUE </td>
<td class='confluenceTd'> Enables secure validation. If true then secure validation
is enabled - see <a href="http://santuario.apache.org/java150releasenotes.html" class="external-link"
rel="nofollow">here</a> for more information. </td>
</tr>
</tbody></table>
</div>


<h4><a name="XMLSecuritycomponent-OutputNodeDeterminationinEnvelopingXMLSignatureCase"></a>Output
Node Determination in Enveloping XML Signature Case</h4>

<p>After the validation the node is extracted from the XML signature document which
is finally returned to the output-message body. In the enveloping XML signature case, the
default implementation <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultXmlSignature2Message.java"
class="external-link" rel="nofollow">DefaultXmlSignature2Message</a> of <a href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java"
class="external-link" rel="nofollow">XmlSignature2Message</a> does this for the node
search type "Default" in the following way (see option <tt>xmlSignature2Message</tt>):</p>

<p>First an Object reference is determined:</p>

<ul>
	<li>Only same document references are taken into account (URI must start with '#')</li>
	<li>Also indirect same document references to an object via manifest are taken into
account.</li>
	<li>The resulting number of Object references must be 1.</li>
</ul>


<p>Then, the Object is dereferenced and the Object must only contain one XML element.
This element is returned as output node.</p>

<p>This does mean that the enveloping XML signature must have either the structure</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;Signature&gt;
          &lt;SignedInfo&gt;
             &lt;Reference URI="#object"/&gt;
             &lt;!-- further references possible but they must not point to an Object
or Manifest containing an object reference --&gt;
             ...
          &lt;/SignedInfo&gt;

          &lt;Object Id="object"&gt;
               &lt;!-- contains one XML element which is extracted to the message body
--&gt;
          &lt;Object&gt;
          &lt;!-- further object elements possible which are not referenced--&gt;
          ...
          (&lt;KeyInfo&gt;)?
    &lt;/Signature&gt;
</pre>
</div></div>
<p>or the structure</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;Signature&gt;
          &lt;SignedInfo&gt;
             &lt;Reference URI="#manifest"/&gt;
             &lt;!-- further references  are possible but they must not point to an Object
or other manifest containing an object reference --&gt;
             ...
          &lt;/SignedInfo&gt;

          &lt;Object &gt;
             &lt;Manifest Id="manifest"&gt;
                &lt;Reference URI=#object/&gt;
             &lt;/Manifest&gt;
          &lt;/Objet&gt;
          &lt;Object Id="object"&gt;
              &lt;!-- contains the DOM node which is extracted to the message body --&gt;
          &lt;/Object&gt;
           &lt;!-- further object elements possible which are not referenced --&gt;
          ...
          (&lt;KeyInfo&gt;)?
    &lt;/Signature&gt;
</pre>
</div></div>

<h3><a name="XMLSecuritycomponent-SeeAlso"></a>See Also</h3>

<ul>
	<li><a href="http://www.w3.org/TR/xmldsig-bestpractices/" class="external-link"
rel="nofollow">Best Practices</a></li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CAMEL">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CAMEL/XML+Security+component">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=34018151&revisedVersion=8&originalVersion=7">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message