axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yuhichi Nakamura" <>
Subject Re: Signed SOAP messages & handling secuirty
Date Fri, 27 Apr 2001 00:53:46 GMT

Hi James,
As David Melger mentioned, our TRL proposal intended to provide an example
demonstrate the Axis handler chain.  At this moment, we are not going to
include it in Axis.  Therefore, it is not apporpriate to have our TRL stuff
in cvs repository now.  I would pull it out.
Thanks very much.
Best regards,

Yuhichi Nakamura
IBM Tokyo Research Laboratory
Tel: +81-462-73-4668

From: James Casbon <> on 2001/04/26 23:37

Please respond to

To:   "''" <>
Subject:  Signed SOAP messages & handling secuirty

I saw with interest the TRL proposal in the nightly build I downloaded.  Is
the intention to include signed messages as part of Axis?

If it is to be included, it seems strange to base this on xss4j for two

xss4j is not open source & requires license fee
xss4j does not allow for integration with cryptoki (and cannot be modified
as it is not open source).

Further, the Signature class currently only allows for the attachment of
certificate.  Should it not offer a way of including an entire certificate
chain for trust verification?

I also cannot see anything in the SOAP specifications that details how
security is to be handled.  I mean, to offer a secure RPC handler would you
chain to handlers: have a security handler and a rpc handler and let the
security handler verify a call?

Consider a banking service that offers a transfer method.  The user makes a
call to a method such as:

     makeTransfer( int sourceAccount, int destinationAccount, float

he then signs the call to indicate he is authorised to transfer from the
source account and posts the SOAP message

The message arrives at the server, and the security handler verifies his
digital signature.  What we need now is a standard way of including this
identity so that it is accessible by the method being invoked.  One
way would be to have the Security Handler insert the verified identity as a
parameter to the method call, and I have successfully applied this approach
to Apache SOAP 2.1.  But this does seem an arbritrary convention, is there
better way?



James Casbon
Software Engineer
Citria Ltd
40 Holborn Viaduct
London EC1N 2PB
United Kingdom

T: 020 7832 3185
M: 07968 055943
F: 020 7832 3232
Citria Limited <>


If you are not the addressee of this confidential e-mail and any
attachments, please delete it and inform the sender; unauthorised
redistribution or publication is prohibited.
Views expressed are those of the author and do not necessarily
represent those of Citria Limited.

View raw message