> I implemented my own CallbackLookup to look up referenced elements by local id attribute.  However, the referenced elements were still
> not found by WSS4J because WSSecurityUtil. storeElementInContext does not know about references using the local "id" attribute. 

Looks like you've found a bug :-) I've fixed this on trunk by adding a new method to CallbackLookup to make the implementation responsible for setting the appropriate Id on the Context. On 1.6.x, I'm going to also register "xml:id" and "id" in WSSecurityUtil.storeElementInContext, to cater for your use-cases.

> Also, I noticed that the WSSecurityUtil.findElementById method looks for elements using both the wsu:Id and local Id attributes (note the
> capital I in Id).

"Id" is used in the XML Digital Signature specification.

Colm.


On Wed, Jul 24, 2013 at 5:48 AM, Nathan Clement <nathan.a.clement@hotmail.com> wrote:
Hi Colm,

I implemented my own CallbackLookup to look up referenced elements by local id attribute.  However, the referenced elements were still not found by WSS4J because WSSecurityUtil.storeElementInContext does not know about references using the local "id" attribute.  I don't see any way that I can override this behaviour - am I missing something?

Also, I noticed that the WSSecurityUtil.findElementById method looks for elements using both the wsu:Id and local Id attributes (note the capital I in Id).  I couldn't see this attribute anywhere in the WS-Security spec.  This seems to have been introduced in r785171.  Is this attribute required by another spec?


Thanks,

Nathan


Date: Mon, 22 Jul 2013 16:11:13 +0100
Subject: Re: WSS4J: Local id attribute and Signature References
From: coheigea@apache.org
To: dev@ws.apache.org

Hi Nathan,

I guess this is the kind of scenario that you should plug in your own CallbackLookup implementation. You can set one on the WSSecurityEngine implementation used as the starting point for WS-Security processing.

Colm.


On Fri, Jul 19, 2013 at 1:37 AM, Nathan Clement <nathan.a.clement@hotmail.com> wrote:
Hi,

The WS-Security spec says in section 4 "ID References":

However, because some key schemas used by this specification don't allow attribute extensibility (namely XML Signature and XML Encryption), this specification also allows use of their local ID attributes in addition to the wsu:Id attribute and the xml:id attribute [XMLID]

We are attempting to process an AS4 message, and the AS4 spec (http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/AS4-profile/v1.0/os/AS4-profile-v1.0-os.html) says in section 5.1.4 regarding the signature reference for the eb:Messaging header:

The eb:Messaging header SHOULD be referenced using the “id” attribute.

WSS4J doesn't seem to support looking up referenced elements by a local id attribute.  DOMCallbackLookup calls WSSecurityUtil.findElementById which only looks for wsu:Id or Id (with a capital I) with no namespace.

Should WSS4J allow lookup of a signed element by local id attribute?

i.e.

<eb:Messaging s:mustUnderstand="true" id="ebms_header" ...

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:Reference URI="#ebms_header">

Thanks,

Nathan



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com