Why is this an issue?

XML signature validations work by parsing third-party data that cannot be trusted until it is actually validated.

As with any other parsing process, unrestricted validation of third-party XML signatures can lead to security vulnerabilities. In this case, threats range from denial of service to confidentiality breaches.

By default, the Java XML Digital Signature API does not apply restrictions on XML signature validation, unless the application runs with a security manager.
To protect the application from these vulnerabilities, set the org.jcp.xml.dsig.secureValidation attribute to true with the javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty method.
This attribute ensures that the code enforces the following restrictions:

Noncompliant code example

NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant
XMLSignature signature = fac.unmarshalXMLSignature(valContext);

boolean signatureValidity = signature.validate(valContext);

Compliant solution

In order to benefit from this secure validation mode, set the DOMValidateContext’s org.jcp.xml.dsig.secureValidation property to TRUE.

NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0));
valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
XMLSignature signature = fac.unmarshalXMLSignature(valContext);

boolean signatureValidity = signature.validate(valContext);

Resources