XPath Filter 2.0 Transform - Security

The XPath Filter 1.0 Transform described in the preceding section allows for any type of XPath expression to be used. The underlying usage for XPath Filter 1.0 is often either to explicitly include some fragment of a document to be signed or to explicitly exclude some part of the document that could legitimately change without breaking the signature of the document. For example, say you want to have two signatures that are not co-signatures (one signature does not include the other). To do this, you would use an XPath statement to exclude the other signatures (and the Enveloped Signature Transform to exclude the current signature). These are "set" type functions that often require fairly complex XPath statements to accomplish. The XPath Filter 2.0 Transform adds the capability to shortcut these common types of XPath statements by specifying intersection, union, and subtraction. For example, to remove another signature, you would use the following XPath 2.0 filter:

<XPath Filter="subtract" xmlns="http://www.w3.org/2002/06/xmldsig-filter2"> id("TheOtherSignature")
</XPath>

On the other hand, if the goal is to sign the other signature, such as when a counter-signature is desired, you might use the following:

<XPath Filter="intersect" xmlns="http://www.w3.org/2002/06/xmldsig-filter2"> id("TheOtherSignature")
</XPath>

Using these intersect, subtract, and union set operations can be cleaner than using the equivalent XPath statements, and it is also possible for the Signature processor to work more efficiently. You can find an excellent example of the XPath Filter 2.0 Transform using the three set operators at the following location:

The Reference URI when using the XPath Filter 2.0 Transform must be an XML document. Often, it is the current document URI (URI="" without comments or URI="#xpointer[/]" with comments). This Transform takes in and returns an XML nodeset.