Summary
-------
Disable by default XML Signatures that use SHA-1 based digest or signature algorithms. SHA-1 is no longer a recommended algorithm for digital signatures.
Problem
-------
SHA-1 is no longer a recommended algorithm. This will improve out of the box security by restricting XML signatures that use SHA-1 algorithms.
Solution
--------
Disable SHA-1 by adding the signature and digest algorithm URIs that use SHA-1 to the `jdk.xml.dsig.secureValidationPolicy` security property. The hmac-sha1 algorithm will not be disabled
however as it does not have the same security weaknesses.
Specification
-------------
Make the following changes to the `java.security` configuration file:
```
jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
+ disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
+ disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
+ disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
minKeySize RSA 1024,\
minKeySize DSA 1024,\
```