DO NOT REPLY [Bug 44863] New: Improved logging in signature handling
https://issues.apache.org/bugzilla/show_bug.cgi?id=44863 Summary: Improved logging in signature handling Product: Security Version: Java 1.4 Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] Created an attachment (id=21848) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21848) logging modifications to Reference and XMLSignature classes It would be very helpful to have additional logging surrounding the creation and validation of signatures. We need this information to assist in debugging issues when our clients are attempting to call our web services. Specifically, I am suggesting the additional logging be added to the org.apache.xml.security.signature.Reference.java and org.apache.xml.security.signature.XMLSignature.java classes. I am attaching a file detailing the changes to these files we need using a base of version 1.4.1. Can this logging be added to the next release of xml security? Thanks, Wally -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 44863] Improved logging in signature handling
https://issues.apache.org/bugzilla/show_bug.cgi?id=44863 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #1 from [EMAIL PROTECTED] 2008-04-23 12:15:36 PST --- (In reply to comment #0) > Created an attachment (id=21848) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21848) [details] > logging modifications to Reference and XMLSignature classes > > It would be very helpful to have additional logging surrounding the creation > and validation of signatures. We need this information to assist in debugging > issues when our clients are attempting to call our web services. > Specifically, > I am suggesting the additional logging be added to the > org.apache.xml.security.signature.Reference.java and > org.apache.xml.security.signature.XMLSignature.java classes. I am attaching a > file detailing the changes to these files we need using a base of version > 1.4.1. Can this logging be added to the next release of xml security? I should be able to add it to 1.4.2 since it is fairly low risk. However, the changes I will add will be a little different. The best place to put the logging statements is in the SignerOutputStream and DigesterOutputStream classes and log the bytes as they are being signed or digested. Calling Reference.getReferencedBytes or SignedInfo.getCanonicalizedStream has a couple of issues. These methods recalculate the transformed or canonicalized bytes; thus they may not be the exact same bytes (for example, the referenced content may change or there may be network issues, etc) and also incur an additional performance cost. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 44863] Improved logging in signature handling
https://issues.apache.org/bugzilla/show_bug.cgi?id=44863 --- Comment #2 from Wally Dennis <[EMAIL PROTECTED]> 2008-04-23 12:54:12 PST --- (In reply to comment #1) > (In reply to comment #0) > > Created an attachment (id=21848) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21848) [details] [details] > > logging modifications to Reference and XMLSignature classes > > > > It would be very helpful to have additional logging surrounding the creation > > and validation of signatures. We need this information to assist in > > debugging > > issues when our clients are attempting to call our web services. > > Specifically, > > I am suggesting the additional logging be added to the > > org.apache.xml.security.signature.Reference.java and > > org.apache.xml.security.signature.XMLSignature.java classes. I am > > attaching a > > file detailing the changes to these files we need using a base of version > > 1.4.1. Can this logging be added to the next release of xml security? > I should be able to add it to 1.4.2 since it is fairly low risk. However, the > changes I will add will be a little different. The best place to put the > logging statements is in the SignerOutputStream and DigesterOutputStream > classes and log the bytes as they are being signed or digested. Calling > Reference.getReferencedBytes or SignedInfo.getCanonicalizedStream has a couple > of issues. These methods recalculate the transformed or canonicalized bytes; > thus they may not be the exact same bytes (for example, the referenced content > may change or there may be network issues, etc) and also incur an additional > performance cost. Adding the logging to the OutputStream classes does have one drawback, though. Especially for the reference logging, I believe you lose the URI so in situations where multiple references are present you have to figure it out. Granted, this is most likely not difficult, but it is helpful. We tend to like to have as much info as possible as long as there is no significant performance impact. That being said, I'll take whatever I can get. Thanks. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
DO NOT REPLY [Bug 44863] Improved logging in signature handling
https://issues.apache.org/bugzilla/show_bug.cgi?id=44863 --- Comment #3 from [EMAIL PROTECTED] 2008-04-23 16:26:04 PST --- (In reply to comment #2) > Adding the logging to the OutputStream classes does have one drawback, > though. > Especially for the reference logging, I believe you lose the URI so in > situations where multiple references are present you have to figure it out. > Granted, this is most likely not difficult, but it is helpful. We tend to > like > to have as much info as possible as long as there is no significant > performance > impact. That being said, I'll take whatever I can get. Thanks. If you enable logging at the debug level, all the builtin resolvers log a message "I state that I can resolve reference: "uri"", and a few logging messages later the pre-digested bytes will be logged (after I put in the fix). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug.
