axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <d...@yahoo.com>
Subject Re: Axis and security (was: Forrest Layout 1.4)
Date Tue, 08 Jan 2002 02:14:50 GMT
Christian,

Spent some time one the two samples CreateSignature.java and VerifySignature.java. The first
samples creates signature.xml and the second one looks for hereSignature.xml....So i had to
rename
the generate signature.xml and feed it to VerifySignature.java. Is this right? If yes, i will
try
to spend some time tomorrow to bootstrap you with SimpleAxisServer with a custom Handler and
some
client code.

Thanks,
dims

--- Christian Geuer-Pollmann <maillist@nue.et-inf.uni-siegen.de> wrote:
> Hi Davanum,
> 
> I implemented the "XML Signature" spec [1] which is now available under 
> [2]. The distribution contains some examples how XML Signature can be 
> created and verified. These are stand-alone-examples which create a DOM 
> structure, sign it and write it to a file or verify an existing Signature. 
> Well, these examples are quite nice to demonstrate how signatures are 
> created and verified, but I wanted to add code on how a SOAP message can be 
> signed (at the client) and verified (at the server's side). The "SOAP 
> Security Extensions: Digital Signature" [3] decribe how XML Signatures are 
> 'embedded' into a SOAP message.
> 
> Well, I'm not a SOAP guru and I don't want to spend weeks installing Tomcat 
> and learning how to create SOAP messages. It would be nice to get a small 
> 'stand-alone-client' and possibly (like Sam showed) a server which gives me 
> access to the Message: The client creates a request, and before sending 
> this request, I can sign it and put the Signature into the Envelope. The 
> server side the same: The server get's a request and before 
> processing/dispatching it, I can verify whether the Signature is valid (for 
> demonstration purposes using a sample certificate).
> 
> A second problem was: Should I provide such an example for "Apache SOAP" or 
> "Apache AXIS"?
> 
> Maybe this gives an idea about it. BTW; if you wanna see how such an 
> example could look like: [4]
> 
> Regards,
> Christian
> 
> [1] http://www.w3.org/TR/xmldsig-core/
> [2] http://xml.apache.org/security/index.html
> [3] http://www.w3.org/TR/SOAP-dsig/
> [4] 
> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xml/s
> ecurity/samples/signature/CreateSignature.java
> 
> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas <dims@yahoo.com> 
> wrote:
> 
> > Can you elaborate a bit more on your thoughts? An overview of how you
> > think we can make SOAP more secure using xml-security...This will help
> > generate more ideas.
> >
> > Thanks,
> > dims
> >
> > --- Sam Ruby <rubys@us.ibm.com> wrote:
> >> Note: I'm cross posting to Axis dev.  Please continue the discussion
> >> there.
> >>
> >> Christian Geuer-Pollmann wrote:
> >> >
> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play around
> >> > with these tools. I asked soap-user and soap-dev how I can directly
> >> > access the soap message as a DOM tree to add a SOAP-SECURITY
> >> > signature. Unfortunately no response. I want to add an example to
> >> > xml-security how a SOAP message can be signed and this signature can
> >> > be verified according to [1]. If there is someone out there who can
> >> > show me how to create a simple SOAP msg using AXIS and how I can
> >> > modify the resulting DOM tree, I'll provide this example. The only
> >> > thing that stopped me was installing tomcat and all these things.
> 


=====
Davanum Srinivas - http://jguru.com/dims/

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Mime
View raw message