axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <d...@yahoo.com>
Subject Re: Axis and security
Date Tue, 08 Jan 2002 16:43:30 GMT
Christian,

I got a sample you can play with. Basically, you wanted a stand-alone sample where the client
sends a DOM and a server-side Handler that can access the DOM to do the processing...See attached
zip file for a sample. Here's how you can try it out without needing Tomcat etc...

1. Get a fresh version of xml-axis.
2. Unzip enclosed file make sure that the directory structure is overlayed with the xml-axis
directory.
3. Place activation.jar, servlet_2_2.jar, xerces-1_4_4.jar in xml-axis\java\lib directory.
(These
are big jars, let me know if you want me to send them to you off-line...)
4. Run buildAxis.bat from xml-axis\java directory.
5. Run buildSecurity.bat from xml-axis\java directory.
6. After this start another command prompt and run runServer.bat from xml-axis\java directory.
7. You can check if the server is alive and well by running "runAdmin list" command from
xml-axis\java directory. This will also give you the list of things that are deployed on the
server.
8. Next step is to deploy the server-side security pieces by running "runAdmin
security\deploy.wsdd" from xml-axis\java directory.
9. To check if the security pieces got deployed, use "runAdmin list".
10. Finally do a "runClient" from xml-axis\java directory. You will see that security.LogHandler
has added a log into MyService.log. The client code is in security.Client...

So you can add your AxisSigner code to Client.java and the AxisVerifier code to LogHandler.java,
play with it and let us know the outcome.

Thanks,
dims

--- maillist@nue.et-inf.uni-siegen.de wrote:
> Dims,
> 
> I added two samples under
> 
> CVS/xml-security/src_samples/org/apache/xml/security/samples
> 
> AxisSigner.java and AxisVerifier.java create a SOAP msg (sorry for the 
> stuupid code) and sign the Body (and verify it).
> 
> 
> 
> --On Dienstag, 8. Januar 2002 09:26 +0100 Christian Geuer-Pollmann 
> <maillist@nue.et-inf.uni-siegen.de> wrote:
> 
> > Dims,
> >
> > I'll add two samples which can easily be modified and which relate to
> > each other. I'll send you a notification about that.
> >
> > Christian
> >
> > --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <dims@yahoo.com>
> > wrote:
> >
> >> Christian,
> >>
> >> Spent some time one the two samples CreateSignature.java and
> >> VerifySignature.java. The first samples creates signature.xml and the
> >> second one looks for hereSignature.xml....So i had to rename the generate
> >> signature.xml and feed it to VerifySignature.java. Is this right? If yes,
> >> i will try to spend some time tomorrow to bootstrap you with
> >> SimpleAxisServer with a custom Handler and some client code.
> >>
> >> Thanks,
> >> dims
> >>
> >> --- Christian Geuer-Pollmann <maillist@nue.et-inf.uni-siegen.de> wrote:
> >>> Hi Davanum,
> >>>
> >>> I implemented the "XML Signature" spec [1] which is now available under
> >>> [2]. The distribution contains some examples how XML Signature can be
> >>> created and verified. These are stand-alone-examples which create a DOM
> >>> structure, sign it and write it to a file or verify an existing
> >>> Signature.  Well, these examples are quite nice to demonstrate how
> >>> signatures are  created and verified, but I wanted to add code on how a
> >>> SOAP message can be  signed (at the client) and verified (at the
> >>> server's side). The "SOAP  Security Extensions: Digital Signature" [3]
> >>> decribe how XML Signatures are  'embedded' into a SOAP message.
> >>>
> >>> Well, I'm not a SOAP guru and I don't want to spend weeks installing
> >>> Tomcat  and learning how to create SOAP messages. It would be nice to
> >>> get a small  'stand-alone-client' and possibly (like Sam showed) a
> >>> server which gives me  access to the Message: The client creates a
> >>> request, and before sending  this request, I can sign it and put the
> >>> Signature into the Envelope. The  server side the same: The server get's
> >>> a request and before
> >>> processing/dispatching it, I can verify whether the Signature is valid
> >>> (for  demonstration purposes using a sample certificate).
> >>>
> >>> A second problem was: Should I provide such an example for "Apache SOAP"
> >>> or  "Apache AXIS"?
> >>>
> >>> Maybe this gives an idea about it. BTW; if you wanna see how such an
> >>> example could look like: [4]
> >>>
> >>> Regards,
> >>> Christian
> >>>
> >>> [1] http://www.w3.org/TR/xmldsig-core/
> >>> [2] http://xml.apache.org/security/index.html
> >>> [3] http://www.w3.org/TR/SOAP-dsig/
> >>> [4]
> >>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
> >>> l/s ecurity/samples/signature/CreateSignature.java
> >>>
> >>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
> >>> <dims@yahoo.com>  wrote:
> >>>
> >>> > Can you elaborate a bit more on your thoughts? An overview of how you
> >>> > think we can make SOAP more secure using xml-security...This will help
> >>> > generate more ideas.
> >>> >
> >>> > Thanks,
> >>> > dims
> >>> >
> >>> > --- Sam Ruby <rubys@us.ibm.com> wrote:
> >>> >> Note: I'm cross posting to Axis dev.  Please continue the discussion
> >>> >> there.
> >>> >>
> >>> >> Christian Geuer-Pollmann wrote:
> >>> >> >
> >>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to
play
> >>> >> > around with these tools. I asked soap-user and soap-dev how
I can
> >>> >> > directly access the soap message as a DOM tree to add a
> >>> >> > SOAP-SECURITY signature. Unfortunately no response. I want
to add
> >>> >> > an example to xml-security how a SOAP message can be signed
and
> >>> >> > this signature can be verified according to [1]. If there
is
> >>> >> > someone out there who can show me how to create a simple SOAP
msg
> >>> >> > using AXIS and how I can modify the resulting DOM tree, I'll
> >>> >> > provide this example. The only thing that stopped me was installing
> >>> >> > tomcat and all these things.
> >
> >
> > ---------------------------------------------------------------------
> > In case of troubles, e-mail:     webmaster@xml.apache.org
> > To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
> > For additional commands, e-mail: general-help@xml.apache.org
> >
> 
> 
> 
> 


=====
Davanum Srinivas - http://jguru.com/dims/

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
Mime
View raw message