JDK-8151893 : Add security property to configure XML Signature secure validation mode
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Affected Version: 9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2016-03-15
  • Updated: 2017-05-17
  • Resolved: 2016-08-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9 Other
6u141Fixed 7u131Fixed 8u121Fixed 9 b134Fixed openjdk7uFixed
Related Reports
Relates :  
Sub Tasks
JDK-8164117 :  
The XML Signature secure validation mode is all or nothing, there is no way to selectively control each of the restrictions. The mode is enabled either by setting the property "org.jcp.xml.dsig.secureValidation" to true with the javax.xml.crypto.XMLCryptoContext.setProperty() method, or by running the code with a SecurityManager. 

It would be useful to define a new security property that allows you to configure the individual restrictions that are enabled. For example:

jdk.xmldsig.secureValidation=xslt, md5, refs > 29, \
    trans > 4, uniqueIds, uri = file | http, \
    retMethodLoop, DSA keySize < 1024, \
    RSA keySize < 1024

An administrator could selectively control each restriction, and could remove/disable a single restriction without having to completely turn off everything.
FC Extension Request Remaining work: The fix is understood, but the code, CCC, and tests still need to be implemented. The code will be started soon. Risk: medium risk that the fix may not be integrated into master by 9/1 Justification: this feature is blocking another critical issue Estimated completion date: 8/26