JDK-8164117 : Release Note: Add security property to configure XML Signature secure validation mode
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Affected Version: 6u141,7u131,8u121,9
  • Priority: P2
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2016-08-16
  • Updated: 2017-08-02
  • Resolved: 2016-12-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8
6u141Resolved 7u131Resolved 8u121Resolved
Description
A new security property named `jdk.xml.dsig.secureValidationPolicy` has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the `java.security` configuration file is:
```
jdk.xml.dsig.secureValidationPolicy=\
    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
    maxTransforms 5,\
    maxReferences 30,\
    disallowReferenceUriSchemes file http https,\
    noDuplicateIds,\
    noRetrievalMethodLoops
```
Please refer to the definition of the property in the `java.security` file for more information.