Summary
-------

Disable by default XML Signatures that use SHA-1 based digest or signature algorithms. SHA-1 is no longer a recommended algorithm for digital signatures.

Problem
-------

SHA-1 is no longer a recommended algorithm. This will improve out of the box security by restricting XML signatures that use SHA-1 algorithms.

Solution
--------

Disable SHA-1 by adding the signature and digest algorithm URIs that use SHA-1 to the `jdk.xml.dsig.secureValidationPolicy` security property.  The hmac-sha1 algorithm will not be disabled
however as it does not have the same security weaknesses.

Specification
-------------
Make the following changes to the `java.security` configuration file:
```
  jdk.xml.dsig.secureValidationPolicy=\
      disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
      disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
      disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
      disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+     disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
+     disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\
+     disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\
+     disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\
+     disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\
      maxTransforms 5,\
      maxReferences 30,\
      disallowReferenceUriSchemes file http https,\
      minKeySize RSA 1024,\
      minKeySize DSA 1024,\
```