It's great to know the search will be off by default in the future release. Nasty security problem could happen because of it. Do you know which future release will include this feature?
On Wed, Nov 16, 2011 at 10:28 AM, Cantor, Scott <[email protected]> wrote: > On 11/16/11 1:08 PM, "Yang Yu" <[email protected]> wrote: > > >Right on the point, Scott. Suppose an application always calls > >IdResolver.registerElementById() before validating the signature, then > >the exhaustive search shouldn't be necessary, correct? > > It will in general constantly fail unless you have application code > specifically set up to deal with the problem. > > In turn, the IdResolver interface is, I think, an extension point that can > be used to address that. You can also manually set IDness via DOM3. > > Of course, specifics vary. It depends on the application. > > >I'm wondering if it's possible to remove the call to > >IdResolver.getElementBySearching in xml sec library? > > I believe it will be an option to disable it, and off by default, in a > future release. > > -- Scott > >
