Modified: websites/production/camel/content/xml-security-component.html
==============================================================================
--- websites/production/camel/content/xml-security-component.html (original)
+++ websites/production/camel/content/xml-security-component.html Thu Jul 24 
12:18:09 2014
@@ -180,7 +180,7 @@
       <to 
uri="xmlsecurity:verify://enveloping?keySelector=#selector" />
     <to uri="mock:result" />
 ]]></script>
-</div></div><p>For the signing process, a private key is necessary. You 
specify a key accessor bean which provides this private key. For the 
validation, the corresponding public key is necessary; you specify a key 
selector bean which provides this public key.</p><p>The key accessor bean must 
implement the <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java";
 rel="nofollow">KeyAccessor</a> interface. The package 
<code>org.apache.camel.component.xmlsecurity.api</code> contains the default 
implementation class <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java";
 rel="nofollow">DefaultKeyAccessor</a> which reads the private key from a Java 
keystore.</p><p>The key selector bean must implement the <a shape="re
 ct" class="external-link" 
href="http://docs.oracle.com/javase/6/docs/api/javax/xml/crypto/KeySelector.html";
 rel="nofollow">javax.xml.crypto.KeySelector</a> interface. The package 
<code>org.apache.camel.component.xmlsecurity.api</code> contains the default 
implementation class <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java";
 rel="nofollow">DefaultKeySelector</a> which reads the public key from a 
keystore.</p><p>In the example, the default signature algorithm <code><a 
shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a></code> is used. 
You can set the signature algorithm of your choice by the option 
<code>signatureAlgorithm</code> (see below). The signer endpoint creates an 
<strong>enveloping</strong> XML signature. If you want to create an <str
 ong>enveloped</strong> XML signature then you must specify the parent element 
of the Signature element; see option <code>parentLocalName</code> for more 
details.</p><p>For creating <strong>detached</strong> XML signatures, see 
sub-chapter "Detached XML Signatures as Siblings of the Signed 
Elements".</p><h3 
id="XMLSecuritycomponent-CommonSigningandVerifyingOptions">Common Signing and 
Verifying Options</h3><p>There are options which can be used for both 
endpoints, signer and verifier.</p><div class="confluenceTableSmall"></div><div 
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>uriDereferencer</p></td><td colspan="1" 
rowspan="1" class="confluence
 Td"><p><a shape="rect" class="external-link" 
href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/URIDereferencer.html";
 rel="nofollow">javax.xml.crypto.URIDereferencer</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>URI dereferencer. You can specify here your own URI 
dereferencer, if you want to restrict the dereferencing or have special 
requirements for dereferencing.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>baseUri</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Base URI used in the URI dereferencer. Relative URIs 
are concatenated with the base URI.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>cryptoContextProperties</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Map&lt;String, ? exten
 ds Object&gt;</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Crypto context properties. See 
<code>javax.xml.crypto.XMLCryptoContext.setProperty(String, Object)</code>. The 
properties can depend on the provider. For example, the JDK provider "XMLDSig" 
has the property "org.jcp.xml.dsig.validateManifests" for enabling manifest 
validation. The following properties are set by default to the value 
<code>Boolean.TRUE</code> for the XML verifier: 
"org.jcp.xml.dsig.validateManifests", "javax.xml.crypto.dsig.cacheReference". 
If the option <code>secureValidation} is {{true</code> then additionally the 
properties "org.apache.jcp.xml.dsig.secureValidation" and 
"org.jcp.xml.dsig.secureValidation" are set to <code>Boolean.TRUE</code> for 
the XML verifier. If you want to switch these features off you must set the 
property values to <code>Boolean.FALSE</code>.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluence
 Td"><p>disallowDoctypeDecl</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether DTD DOCTYPE declarations shall be 
disallowed in the incoming XML message.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>omitXmlDeclaration</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.FALSE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether the XML declaration header shall be 
omitted in the output XML message.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>clearHeaders</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator wheth
 er the XML signature message headers defined in <a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureConstants.java";
 rel="nofollow">XmlSignatureConstants</a> shall be deleted at the end of the 
signer or verifier processing.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">schemaResourceUri</td><td colspan="1" rowspan="1" 
class="confluenceTd">String</td><td colspan="1" rowspan="1" 
class="confluenceTd">null</td><td colspan="1" rowspan="1" 
class="confluenceTd"><strong>Since 2.14.0</strong>. Classpath to the XML Schema 
file. If set then the XML document is validated against the XML schema. Must be 
set in the case of detached signatures in order to determine the attributes of 
type ID. <span>This value can be overwritten by the header 
"CamelXmlSignatureSchemaResourceUri". <span>For further information, 
s</span><span>ee sub-chapter "Detached 
 XML Signatures as Siblings of the Signed 
Elements".</span></span></td></tr></tbody></table></div><h3 
id="XMLSecuritycomponent-SigningOptions">Signing Options</h3><p>The signer 
endpoint has the following options.</p><div 
class="confluenceTableSmall"></div><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>keyAccessor</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java";
 rel="nofollow">KeyAccessor</a></p></td><td colspan="1" rowspan="1" 
class="conflue
 nceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Provides the signing key and the KeyInfo instance. 
There is an example implementation which uses a keystore, see <a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java";
 rel="nofollow">DefaultKeyAccessor</a></p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>addKeyInfoReference</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether a Reference element refering the 
KeyInfo element provided by the key accessor should be added to the XML 
signature.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>signatureAlgorithm</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>
 String</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a 
shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a></p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>signature algorithm consisting 
of a digest and encryption algorithm. The digest algorithm is used to calculate 
the digest of the SignedInfo element and the encryption algorithm is used to 
sign this digest. Possible values: <a shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#dsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#dsa-sha1</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a>, <a 
shape="rect" class="externa
 l-link" href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384</a>, <a 
shape="rect" class="external-link" 
href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha512</a></p></td></tr><tr><td
 colspan="1" rowspan="1" class="confluenceTd"><p>digestAlgorithm</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>see description</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Digest algorithm for calculating the digest 
of the in-message body. If not specified then the digest algorithm of the 
signature algorithm is used. Possible values: <a shape="rect" 
class="external-link" href="http://www.w3.org/2000/09/xmldsig#sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#sha1</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2001/04/xmlenc#sha256"; 
rel="nofollow">htt
 p://www.w3.org/2001/04/xmlenc#sha256</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2001/04/xmldsig-more#sha384"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#sha384</a>, <a 
shape="rect" class="external-link" 
href="http://www.w3.org/2001/04/xmlenc#sha512"; 
rel="nofollow">http://www.w3.org/2001/04/xmlenc#sha512</a></p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p>parentLocalName</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Local name of the parent of the Signature element. The 
Signature element will be added at the end of the children of the parent. 
Necessary for enveloped XML signature. If this option is null, then an 
enveloping XML signature is created. See also option 
<code>parentNamespace</code>.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>parentNamespace</p></td><
 td colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Namespace of the parent of the Signature 
element. See option <code>parentLocalName</code></p></td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd"><p>canonicalizationMethod</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/AlgorithmMethod.html";
 rel="nofollow">javax.xml.crypto.AlgorithmMethod</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>C14n</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Canonicalization method used to canonicalize the 
SignedInfo element before the digest is calculated. You can use the helper 
methods <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apac
 he/camel/component/xmlsecurity/api/XmlSignatureHelper.java" 
rel="nofollow">XmlSignatureHelper</a>.getCanonicalizationMethod(String 
algorithm) or getCanonicalizationMethod(String algorithm, List&lt;String&gt; 
inclusiveNamespacePrefixes) to create a canonicalization 
method.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>transformMethods</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>List&lt;javax.xml.crypto.AlgorithmMethod&gt;</p></td><td
 colspan="1" rowspan="1" class="confluenceTd"><p>see description</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Transforms which are executed 
on the message body before the digest is calculated. By default, C14n is added 
and in the case of enveloped signature (see option 
<code>parentLocalName</code>) also <a shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a> is 
added at position 0 of the 
 list. Use methods in <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java";
 rel="nofollow">XmlSignatureHelper</a> to create the transform 
methods.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>prefixForXmlSignatureNamespace</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><code>ds</code></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Prefix for the XML signature namespace. If 
<code>null</code> is specified or an empty string then no prefix is used for 
the signature namespace.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>contentReferenceUri</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>see description</p></td><td colspan="1" ro
 wspan="1" class="confluenceTd"><p>The URI of the reference to the signed 
content (in-message body). If <code>null</code> and we are in the enveloped XML 
signature case then the URI is set to "". If <code>null</code> and we are in 
the enveloping XML signature case then the URI is set to "generated_object_id" 
which means that the reference points to the Object element containing the 
in-message body. You can use this option to reference a specific part in your 
in-message body if you do not want to sign the complete in-message body. This 
value can be overwritten by the header "CamelXmlSignatureContentReferenceUri". 
Please be aware, if you want to use a value of an XML ID attribute (example: 
"#ID_value"), then you must provide the information about the ID attribute via 
a doctype definition contained in the input XML document. This option is 
ignored in the case of detached signature when the option 
<em>xpathsToIdAttributes </em>is set.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="c
 onfluenceTd"><p>contentReferenceType</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Value of the type attribute of the content reference. 
This value can be overwritten by the header 
"CamelXmlSignatureContentReferenceType"</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>plainText</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.FALSE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether the in-message body contains plain 
text. Normally, the signature generator treats the incoming message body as 
XML. If the message body is plain text, then you must set this option to 
<code>true</code>. The value can be overwritten by the header 
"CamelXmlSignatureMessageIsPlainText".</p></td></tr><tr><td colspan="1" 
rowspan="1" c
 lass="confluenceTd"><p>plainTextEncoding</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Only used when the option <code>plainText</code> is set 
to <code>true</code>. Then you can specify the encoding of the plain text. If 
<code>null</code> then UTF-8 is used. The value can be overwritten by the 
header "CamelXmlSignatureMessageIsPlainTextEncoding".</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p>properties</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java";
 rel="nofollow">XmlSignatureProperties</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenc
 eTd"><p>For adding additional References and Objects to the XML signature 
which contain additional properties, you can provide a bean which implements 
the <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java";
 rel="nofollow">XmlSignatureProperties</a> interface.</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p>contentObjectId</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Value of the Id attribute of the Object element. Only 
used in the enveloping XML signature case. If <code>null</code> then a unique 
value is generated. Available as of 
<strong>2.12.2</strong></p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">xpathsToIdAttributes</td><td colspan="1" rowspan="1
 " class="confluenceTd">List&lt;<span style="line-height: 
1.4285715;">XPathFilterParameterSpec</span>&gt;</td><td colspan="1" rowspan="1" 
class="confluenceTd">empty list</td><td colspan="1" rowspan="1" 
class="confluenceTd"><strong>Since 2.14.0</strong>. List of XPATH expressions 
to ID attributes of elements to be signed. Used for the detached XML 
Signatures. Can only be used in combination with the option 
<em>schemaResourceUri. </em><span>The value can be overwritten by the header 
"CamelXmlSignatureXpathsToIdAttributes". If the option 
<span><em>parentLocalName</em> is set at the same time then an exception is 
thrown. The class <em>XPathFilterParameterSpec </em>has the package 
<em>javax.xml.crypto.dsig.spec</em>. For further information, s</span><span>ee 
sub-chapter "Detached XML Signatures as Siblings of the Signed 
Elements".</span></span></td></tr></tbody></table></div><h3 
id="XMLSecuritycomponent-VerifyingOptions">Verifying Options</h3><p>The 
verifier endpoint has the following opt
 ions.</p><div class="confluenceTableSmall"></div><div 
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>keySelector</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/KeySelector.html";
 rel="nofollow">javax.xml.crypto.KeySelector</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Provides the key for validating the XML signature. 
There is an example implementation which uses a keystore, see <a shape="rect" 
class="external-link" href="https://github.com/apache/cam
 
el/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java"
 rel="nofollow">DefaultKeySelector</a>.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>xmlSignatureChecker</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureChecker.java";
 rel="nofollow">XmlSignatureChecker</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>This interface allows the application to check the XML 
signature before the validation is executed. This step is recommended in <a 
shape="rect" class="external-link" 
href="http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed"; 
rel="nofollow">http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed</
 a></p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>validationFailedHandler</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/ValidationFailedHandler.java";
 rel="nofollow">ValidationFailedHandler</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultValidationFailedHandler.java";
 rel="nofollow">DefaultValidationFailedHandler</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Handles the different validation failed 
situations. The default implementation throws specific exceptions for the 
different situations (All exceptions have the package name 
<code>org.apache.camel.component.xmlsecu
 rity.api</code> and are a sub-class of 
<code>XmlSignatureInvalidException</code>. If the signature value validation 
fails, a <code>XmlSignatureInvalidValueException</code> is thrown. If a 
reference validation fails, a 
<code>XmlSignatureInvalidContentHashException</code> is thrown. For more 
detailed information, see the JavaDoc.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>xmlSignature2Message</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java";
 rel="nofollow">XmlSignature2Message</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultXmlSignature2Message.java";
 rel="nof
 ollow">DefaultXmlSignature2Message</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Bean which maps the XML signature to the ouput-message 
after the validation. How this mapping should be done can be configured by the 
options <code>outputNodeSearchType</code>, <code>outputNodeSearch</code>, and 
<code>removeSignatureElements</code>. The default implementation offers three 
possibilities which are related to the three output node search types 
"Default", "ElementName", and "XPath". The default implementation determines a 
node which is then serialized and set to the body of the ouput message. If the 
search type is "ElementName" then the ouput node (which must be in this case an 
element) is determined by the local name and namespace defined in the search 
value (see option <code>outputNodeSearch</code>). If the search type is "XPath" 
then the output node is determined by the XPath specified in the search value 
(in this case the ouput node can be of type "Element", "TextNode"
  or "Document"). If the output node search type is "Default" then the 
following rules apply: In the enveloped XML signature case (there is a 
reference with URI="" and transform 
"http://www.w3.org/2000/09/xmldsig#enveloped-signature";), the incoming XML 
document without the Signature element is set to the output message body. In 
the non-enveloped XML signature case, the message body is determined from a 
referenced Object; this is explained in more detail in chapter "Output Node 
Determination in Enveloping XML Signature Case".</p></td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd"><p>outputNodeSearchType</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>"Default"</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Determines the type of the search of the output node. 
See option <code>xmlSignature2Message</code>. The default implementation 
<code>DefaultXmlSignature2Message</code> supports the
  three search types "Default", "ElementName", and 
"XPath".</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>outputNodeSearch</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Object</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Search value of the output node search. The type 
depends on the search type. For the default search implementation 
<code>DefaultXmlSignature2Message</code> the following values can be supplied. 
If the search type is "Default", then the search value is not used. If the 
search type is "ElementName", then the search value contains the namespace and 
local name of the output element. The namespace must be embraced in brackets. 
If the search type is "XPath", the search value contains an instance of 
<code>javax.xml.crypto.dsig.spec.XPathFilterParameterSpec</code> which 
represents an XPath. You can create such an instance via the method <code><a 
shape="rect" c
 lass="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java";
 rel="nofollow">XmlSignatureHelper</a></code><code>.getXpathFilter(String 
xpath, Map&lt;String, String&gt; namespaceMap)</code>. The XPath determines the 
output node which can be of type Element, TextNode, or 
Document.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>removeSignatureElements</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.FALSE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator for removing Signature elements in the output 
message in the enveloped XML signature case. Used in the 
<code>XmlSignature2Message</code> instance. The default implementation does use 
this indicator for the two search types "ElementName" and 
"XPath".</p></td></tr><tr><td colspan="1" rowspan="
 1" class="confluenceTd"><p>secureValidation</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Enables secure validation. If true then secure 
validation is enabled - see <a shape="rect" class="external-link" 
href="http://santuario.apache.org/java150releasenotes.html";>here</a> for more 
information.</p></td></tr></tbody></table></div><h4 
id="XMLSecuritycomponent-OutputNodeDeterminationinEnvelopingXMLSignatureCase">Output
 Node Determination in Enveloping XML Signature Case</h4><p>After the 
validation the node is extracted from the XML signature document which is 
finally returned to the output-message body. In the enveloping XML signature 
case, the default implementation <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/a
 pi/DefaultXmlSignature2Message.java" 
rel="nofollow">DefaultXmlSignature2Message</a> of <a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java";
 rel="nofollow">XmlSignature2Message</a> does this for the node search type 
"Default" in the following way (see option 
<code>xmlSignature2Message</code>):</p><p>First an Object reference is 
determined:</p><ul><li>Only same document references are taken into account 
(URI must start with '#')</li><li>Also indirect same document references to an 
object via manifest are taken into account.</li><li>The resulting number of 
Object references must be 1.</li></ul><p>Then, the Object is dereferenced and 
the Object must only contain one XML element. This element is returned as 
output node.</p><p>This does mean that the enveloping XML signature must have 
either the structure</p><div class="code panel pdl" style="
 border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>For the signing process, a private key is necessary. You 
specify a key accessor bean which provides this private key. For the 
validation, the corresponding public key is necessary; you specify a key 
selector bean which provides this public key.</p><p>The key accessor bean must 
implement the <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java";
 rel="nofollow">KeyAccessor</a> interface. The package 
<code>org.apache.camel.component.xmlsecurity.api</code> contains the default 
implementation class <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java";
 rel="nofollow">DefaultKeyAccessor</a> which reads the private key from a Java 
keystore.</p><p>The key selector bean must implement the <a shape="re
 ct" class="external-link" 
href="http://docs.oracle.com/javase/6/docs/api/javax/xml/crypto/KeySelector.html";
 rel="nofollow">javax.xml.crypto.KeySelector</a> interface. The package 
<code>org.apache.camel.component.xmlsecurity.api</code> contains the default 
implementation class <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java";
 rel="nofollow">DefaultKeySelector</a> which reads the public key from a 
keystore.</p><p>In the example, the default signature algorithm <code><a 
shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a></code> is used. 
You can set the signature algorithm of your choice by the option 
<code>signatureAlgorithm</code> (see below). The signer endpoint creates an 
<strong>enveloping</strong> XML signature. If you want to create an <str
 ong>enveloped</strong> XML signature then you must specify the parent element 
of the Signature element; see option <code>parentLocalName</code> for more 
details.</p><p>For creating <strong>detached</strong> XML signatures, see 
sub-chapter "Detached XML Signatures as Siblings of the Signed 
Elements".</p><h3 
id="XMLSecuritycomponent-CommonSigningandVerifyingOptions">Common Signing and 
Verifying Options</h3><p>There are options which can be used for both 
endpoints, signer and verifier.</p><div class="confluenceTableSmall"></div><div 
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>uriDereferencer</p></td><td colspan="1" 
rowspan="1" class="confluence
 Td"><p><a shape="rect" class="external-link" 
href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/URIDereferencer.html";
 rel="nofollow">javax.xml.crypto.URIDereferencer</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>URI dereferencer. You can specify here your own URI 
dereferencer, if you want to restrict the dereferencing or have special 
requirements for dereferencing.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>baseUri</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Base URI used in the URI dereferencer. Relative URIs 
are concatenated with the base URI.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>cryptoContextProperties</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Map&lt;String, ? exten
 ds Object&gt;</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Crypto context properties. See 
<code>javax.xml.crypto.XMLCryptoContext.setProperty(String, Object)</code>. The 
properties can depend on the provider. For example, the JDK provider "XMLDSig" 
has the property "org.jcp.xml.dsig.validateManifests" for enabling manifest 
validation. The following properties are set by default to the value 
<code>Boolean.TRUE</code> for the XML verifier: 
"<code>org.jcp.xml.dsig.validateManifests</code>", 
"<code>javax.xml.crypto.dsig.cacheReference</code>". If the option 
<code>secureValidation} is {{true</code> then additionally the properties 
"<code>org.apache.jcp.xml.dsig.secureValidation</code>" and 
"<code>org.jcp.xml.dsig.secureValidation</code>" are set to 
<code>Boolean.TRUE</code> for the XML verifier. If you want to switch these 
features off you must set the property values to 
<code>Boolean.FALSE</code>.</p></td></
 tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>disallowDoctypeDecl</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether DTD DOCTYPE declarations shall be 
disallowed in the incoming XML message.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>omitXmlDeclaration</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.FALSE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether the XML declaration header shall be 
omitted in the output XML message.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>clearHeaders</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1"
  rowspan="1" class="confluenceTd"><p>Indicator whether the XML signature 
message headers defined in <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureConstants.java";
 rel="nofollow">XmlSignatureConstants</a> shall be deleted at the end of the 
signer or verifier processing.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">schemaResourceUri</td><td colspan="1" rowspan="1" 
class="confluenceTd">String</td><td colspan="1" rowspan="1" 
class="confluenceTd">null</td><td colspan="1" rowspan="1" 
class="confluenceTd"><strong>Since 2.14.0</strong>. Classpath to the XML Schema 
file. If set then the XML document is validated against the XML schema. Must be 
set in the case of detached signatures in order to determine the attributes of 
type ID. <span>This value can be overwritten by the header 
"<code>CamelXmlSignatureSchemaResourceUri</code>". <span
 >For further information, s</span><span>ee sub-chapter "Detached XML 
 >Signatures as Siblings of the Signed 
 >Elements".</span></span></td></tr></tbody></table></div><h3 
 >id="XMLSecuritycomponent-SigningOptions">Signing Options</h3><p>The signer 
 >endpoint has the following options.</p><div 
 >class="confluenceTableSmall"></div><div class="table-wrap"><table 
 >class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
 >class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" 
 >class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" 
 >class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" 
 >class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" 
 >rowspan="1" class="confluenceTd"><p>keyAccessor</p></td><td colspan="1" 
 >rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
 >href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java";
 > rel="nofollow">K
 eyAccessor</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Provides the signing key and the KeyInfo instance. 
There is an example implementation which uses a keystore, see <a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java";
 rel="nofollow">DefaultKeyAccessor</a></p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>addKeyInfoReference</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator whether a Reference element refering the 
KeyInfo element provided by the key accessor should be added to the XML 
signature.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>signatureAlgor
 ithm</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a></p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>signature algorithm consisting 
of a digest and encryption algorithm. The digest algorithm is used to calculate 
the digest of the SignedInfo element and the encryption algorithm is used to 
sign this digest. Possible values: <a shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#dsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#dsa-sha1</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; 
rel="nofollow">http://www.w3.org/20
 01/04/xmldsig-more#rsa-sha256</a>, <a shape="rect" class="external-link" 
href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384</a>, <a 
shape="rect" class="external-link" 
href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#rsa-sha512</a></p></td></tr><tr><td
 colspan="1" rowspan="1" class="confluenceTd"><p>digestAlgorithm</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>see description</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Digest algorithm for calculating the digest 
of the in-message body. If not specified then the digest algorithm of the 
signature algorithm is used. Possible values: <a shape="rect" 
class="external-link" href="http://www.w3.org/2000/09/xmldsig#sha1"; 
rel="nofollow">http://www.w3.org/2000/09/xmldsig#sha1</a>, <a shape="rect" 
class="external-link" 
 href="http://www.w3.org/2001/04/xmlenc#sha256"; 
rel="nofollow">http://www.w3.org/2001/04/xmlenc#sha256</a>, <a shape="rect" 
class="external-link" href="http://www.w3.org/2001/04/xmldsig-more#sha384"; 
rel="nofollow">http://www.w3.org/2001/04/xmldsig-more#sha384</a>, <a 
shape="rect" class="external-link" 
href="http://www.w3.org/2001/04/xmlenc#sha512"; 
rel="nofollow">http://www.w3.org/2001/04/xmlenc#sha512</a></p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p>parentLocalName</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Local name of the parent of the Signature element. The 
Signature element will be added at the end of the children of the parent. 
Necessary for enveloped XML signature. If this option is null, then an 
enveloping XML signature is created. See also option 
<code>parentNamespace</code>.</p></td></tr><tr><td colspan=
 "1" rowspan="1" class="confluenceTd"><p>parentNamespace</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Namespace of the parent of the Signature element. See 
option <code>parentLocalName</code></p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>canonicalizationMethod</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
class="external-link" 
href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/AlgorithmMethod.html";
 rel="nofollow">javax.xml.crypto.AlgorithmMethod</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>C14n</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Canonicalization method used to canonicalize the 
SignedInfo element before the digest is calculated. You can use the helper 
methods <a shape="rect" class="external-link" 
href="https://github.com/apache/came
 
l/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java"
 rel="nofollow">XmlSignatureHelper</a>.getCanonicalizationMethod(String 
algorithm) or getCanonicalizationMethod(String algorithm, List&lt;String&gt; 
inclusiveNamespacePrefixes) to create a canonicalization 
method.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>transformMethods</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>List&lt;javax.xml.crypto.AlgorithmMethod&gt;</p></td><td
 colspan="1" rowspan="1" class="confluenceTd"><p>see description</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Transforms which are executed 
on the message body before the digest is calculated. By default, C14n is added 
and in the case of enveloped signature (see option 
<code>parentLocalName</code>) also <a shape="rect" class="external-link" 
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; 
rel="nofollow">http://www.w3.org/2000/
 09/xmldsig#enveloped-signature</a> is added at position 0 of the list. Use 
methods in <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java";
 rel="nofollow">XmlSignatureHelper</a> to create the transform 
methods.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>prefixForXmlSignatureNamespace</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><code>ds</code></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Prefix for the XML signature namespace. If 
<code>null</code> is specified or an empty string then no prefix is used for 
the signature namespace.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>contentReferenceUri</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" c
 lass="confluenceTd"><p>see description</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>The URI of the reference to the signed content 
(in-message body). If <code>null</code> and we are in the enveloped XML 
signature case then the URI is set to "". If <code>null</code> and we are in 
the enveloping XML signature case then the URI is set to "generated_object_id" 
which means that the reference points to the Object element containing the 
in-message body. You can use this option to reference a specific part in your 
in-message body if you do not want to sign the complete in-message body. This 
value can be overwritten by the header "CamelXmlSignatureContentReferenceUri". 
Please be aware, if you want to use a value of an XML ID attribute (example: 
"#ID_value"), then you must provide the information about the ID attribute via 
a doctype definition contained in the input XML document. This option is 
ignored in the case of detached signature when the option 
<code>xpathsToIdAttributes
  </code>is set.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>contentReferenceType</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Value of the type attribute of the content reference. 
This value can be overwritten by the header 
"<code>CamelXmlSignatureContentReferenceType</code>"</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p>plainText</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean.FALSE</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Indicator whether the in-message body 
contains plain text. Normally, the signature generator treats the incoming 
message body as XML. If the message body is plain text, then you must set this 
option to <code>true</code>. The value can be overwritten by the header "Ca
 melXmlSignatureMessageIsPlainText".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>plainTextEncoding</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Only used when the option <code>plainText</code> is set 
to <code>true</code>. Then you can specify the encoding of the plain text. If 
<code>null</code> then UTF-8 is used. The value can be overwritten by the 
header 
"<code>CamelXmlSignatureMessageIsPlainTextEncoding</code>".</p></td></tr><tr><td
 colspan="1" rowspan="1" class="confluenceTd"><p>properties</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java";
 rel="nofollow">XmlSignatureProperties</a></p></td><td colspan="1
 " rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>For adding additional References and Objects to the XML 
signature which contain additional properties, you can provide a bean which 
implements the <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java";
 rel="nofollow">XmlSignatureProperties</a> interface.</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p>contentObjectId</p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Value of the Id attribute of the Object element. Only 
used in the enveloping XML signature case. If <code>null</code> then a unique 
value is generated. Available as of 
<strong>2.12.2</strong></p></td></tr><tr><td c
 olspan="1" rowspan="1" class="confluenceTd">xpathsToIdAttributes</td><td 
colspan="1" rowspan="1" class="confluenceTd">List&lt;<span style="line-height: 
1.4285715;">XPathFilterParameterSpec</span>&gt;</td><td colspan="1" rowspan="1" 
class="confluenceTd">empty list</td><td colspan="1" rowspan="1" 
class="confluenceTd"><strong>Since 2.14.0</strong>. List of XPATH expressions 
to ID attributes of elements to be signed. Used for the detached XML 
Signatures. Can only be used in combination with the option 
<code>schemaResourceUri</code><em>. </em><span>The value can be overwritten by 
the header "<code>CamelXmlSignatureXpathsToIdAttributes</code>". If the option 
<span><code>parentLocalNam</code><em>e</em> is set at the same time then an 
exception is thrown. The class <code>XPathFilterParameterSpec </code>has the 
package <code>javax.xml.crypto.dsig.spec</code>. For further information, 
s</span><span>ee sub-chapter "Detached XML Signatures as Siblings of the Signed 
Elements".</span></span></td>
 </tr><tr><td colspan="1" rowspan="1" class="confluenceTd">signatureId</td><td 
colspan="1" rowspan="1" class="confluenceTd">String</td><td colspan="1" 
rowspan="1" class="confluenceTd">null</td><td colspan="1" rowspan="1" 
class="confluenceTd"><strong>Since 2.14.0</strong>. Value of the Id attribute 
of the Signature element. If <code>null</code> then a unique Id is generated. 
If the value is the empty string ("") then no Id attribute is added to the 
Signature element.</td></tr></tbody></table></div><h3 
id="XMLSecuritycomponent-VerifyingOptions">Verifying Options</h3><p>The 
verifier endpoint has the following options.</p><div 
class="confluenceTableSmall"></div><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Description</p><
 /th></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>keySelector</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/KeySelector.html";
 rel="nofollow">javax.xml.crypto.KeySelector</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Provides the key for validating the XML signature. 
There is an example implementation which uses a keystore, see <a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java";
 rel="nofollow">DefaultKeySelector</a>.</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>xmlSignatureChecker</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apac
 
he/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureChecker.java"
 rel="nofollow">XmlSignatureChecker</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>This interface allows the application to check the XML 
signature before the validation is executed. This step is recommended in <a 
shape="rect" class="external-link" 
href="http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed"; 
rel="nofollow">http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed</a></p></td></tr><tr><td
 colspan="1" rowspan="1" 
class="confluenceTd"><p>validationFailedHandler</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/ValidationFailedHandler.java";
 rel="nofollow">Valida
 tionFailedHandler</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultValidationFailedHandler.java";
 rel="nofollow">DefaultValidationFailedHandler</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Handles the different validation failed 
situations. The default implementation throws specific exceptions for the 
different situations (All exceptions have the package name 
<code>org.apache.camel.component.xmlsecurity.api</code> and are a sub-class of 
<code>XmlSignatureInvalidException</code>. If the signature value validation 
fails, a <code>XmlSignatureInvalidValueException</code> is thrown. If a 
reference validation fails, a 
<code>XmlSignatureInvalidContentHashException</code> is thrown. For more 
detailed information, see the JavaDoc.</p></td></tr><tr><td colspan="1" 
rowspan="1" class=
 "confluenceTd"><p>xmlSignature2Message</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java";
 rel="nofollow">XmlSignature2Message</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultXmlSignature2Message.java";
 rel="nofollow">DefaultXmlSignature2Message</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Bean which maps the XML signature to the 
ouput-message after the validation. How this mapping should be done can be 
configured by the options <code>outputNodeSearchType</code>, 
<code>outputNodeSearch</code>, and <code>removeSignatureElements</code>. The 
default implementation offer
 s three possibilities which are related to the three output node search types 
"Default", "ElementName", and "XPath". The default implementation determines a 
node which is then serialized and set to the body of the ouput message. If the 
search type is "ElementName" then the ouput node (which must be in this case an 
element) is determined by the local name and namespace defined in the search 
value (see option <code>outputNodeSearch</code>). If the search type is "XPath" 
then the output node is determined by the XPath specified in the search value 
(in this case the ouput node can be of type "Element", "TextNode" or 
"Document"). If the output node search type is "Default" then the following 
rules apply: In the enveloped XML signature case (there is a reference with 
URI="" and transform "http://www.w3.org/2000/09/xmldsig#enveloped-signature";), 
the incoming XML document without the Signature element is set to the output 
message body. In the non-enveloped XML signature case, the message bo
 dy is determined from a referenced Object; this is explained in more detail in 
chapter "Output Node Determination in Enveloping XML Signature 
Case".</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>outputNodeSearchType</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>String</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>"Default"</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Determines the type of the search of the output node. 
See option <code>xmlSignature2Message</code>. The default implementation 
<code>DefaultXmlSignature2Message</code> supports the three search types 
"Default", "ElementName", and "XPath".</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p>outputNodeSearch</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Object</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>null</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Search value of the output node search. The 
 type depends on the search type. For the default search implementation 
<code>DefaultXmlSignature2Message</code> the following values can be supplied. 
If the search type is "Default", then the search value is not used. If the 
search type is "ElementName", then the search value contains the namespace and 
local name of the output element. The namespace must be embraced in brackets. 
If the search type is "XPath", the search value contains an instance of 
<code>javax.xml.crypto.dsig.spec.XPathFilterParameterSpec</code> which 
represents an XPath. You can create such an instance via the method <code><a 
shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java";
 rel="nofollow">XmlSignatureHelper</a></code><code>.getXpathFilter(String 
xpath, Map&lt;String, String&gt; namespaceMap)</code>. The XPath determines the 
output node which can be of type Element, Text
 Node, or Document.</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>removeSignatureElements</p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.FALSE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Indicator for removing Signature elements in the output 
message in the enveloped XML signature case. Used in the 
<code>XmlSignature2Message</code> instance. The default implementation does use 
this indicator for the two search types "ElementName" and 
"XPath".</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>secureValidation</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Boolean.TRUE</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Enables secure validation. If true then secure 
validation is enabled - see <a shape="rect" class="external-link" 
href="http://santuario.
 apache.org/java150releasenotes.html">here</a> for more 
information.</p></td></tr></tbody></table></div><h4 
id="XMLSecuritycomponent-OutputNodeDeterminationinEnvelopingXMLSignatureCase">Output
 Node Determination in Enveloping XML Signature Case</h4><p>After the 
validation the node is extracted from the XML signature document which is 
finally returned to the output-message body. In the enveloping XML signature 
case, the default implementation <a shape="rect" class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultXmlSignature2Message.java";
 rel="nofollow">DefaultXmlSignature2Message</a> of <a shape="rect" 
class="external-link" 
href="https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java";
 rel="nofollow">XmlSignature2Message</a> does this for the node search type 
"Default" in the f
 ollowing way (see option <code>xmlSignature2Message</code>):</p><p>First an 
Object reference is determined:</p><ul><li>Only same document references are 
taken into account (URI must start with '#')</li><li>Also indirect same 
document references to an object via manifest are taken into 
account.</li><li>The resulting number of Object references must be 
1.</li></ul><p>Then, the Object is dereferenced and the Object must only 
contain one XML element. This element is returned as output node.</p><p>This 
does mean that the enveloping XML signature must have either the 
structure</p><div class="code panel pdl" style="border-width: 1px;"><div 
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: java; gutter: false" 
type="syntaxhighlighter"><![CDATA[    &lt;Signature&gt;
           &lt;SignedInfo&gt;
              &lt;Reference URI=&quot;#object&quot;/&gt;


Reply via email to