.. Apache XML Security v 1.4.3 and Java 6

It is not easy to get this combination up and running. Java 6 contains XML Signature implementation (JCP105). The implementaion is based on XML Signature Syntax and Processing v1.0. This version does not contain strong SHA-2 message digest function family. This family is supported in v1.1 of the spec. The v.1.1 is a draft at this time. If you want to use strong digest algorithm you have to override default XML Sig implementation by installing Apache XML Security package. The packages have to be installed into endorsed directory of your JRE. There sill remains several drawbacsk. Here they are:

1. SHA-2 digest family is supported in a standard way but the constants are hidden inside internal class hierarchy


2. commons-logging fails to initialize due to modified behavior of JRE6 which uses. The chain of commands:this.getClass().getClassLoader() surprisingly returns null as the class from endorsed dir is loaded by bootstrap classloader.

Problem 1) can be slolved by using either strings copied directly from the spec. or by using e.g. org.apache.xml.security.signature.XMLSignature.ALGO_ID_MAC_HMAC_SHA256 constant.

Problem 2) is solved by replacing commons-logging included in XMLSig distribution by newest one (1.1.1) from commons-logging homepage.