axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <d...@yahoo.com>
Subject Re: XML Security Job Offer: Axis Connector
Date Tue, 15 Jan 2002 17:16:26 GMT
Christian,

I definitely agree with you that verify is not enough...Yes, the sample should implement "Best
Practice(s)" related to how the xml-security code should be used. Am happy to accept patches
on
behalf of the Axis team :) The sooner we can get the full automated tests of Axis running
with
Signed Messages the better.

Thanks,
dims

--- Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de> wrote:
> Hi dims,
> 
> one thing about signed SOAP messages. The xml-security project allows you 
> to sign and verify 'resources'. It allows to to request (after you called 
> 'verify()') to find out _what_ bytes have been signed. Now the problem (not 
> a problem for unit testing but for people who really rely on that):
> 
> If you get a SOAP message with a Signature, you verify that the signature 
> is valid and then you start processing, you shoot yourself into the knee 
> because you did not check _what_ was signed. Imagine you want your server 
> only to process messages whose complete Body has been signed by the client. 
> Then you must check that the Body was signed and nothing unimportant just 
> to create a valid Signature. Maybe the discussion on the XML Signature 
> Mailing list clarifies this [1].
> 
> Note: This is OK for unit testing but for a real-world-Scenario, there must 
> be more than simply XMLSIgnature.verify(). This 'more' can be
> 
> - is the URI of the signed Resource the Body and is there no transform 
> which deleted 'bad' nodes from the document.
> - Get the bytes from the Signature object and re-parse them into a new 
> document and use THIS new document which contains the pure Body for further 
> processing (this second option is - from my point of view - the better and 
> more reliable one).
> 
> 
> Regards,
> Christian
> 
> [1] 
> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0013.html
>  
> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0006.html
>  
> http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/thread.html
> 
> 
> --On Montag, 14. Januar 2002 06:31 -0800 Davanum Srinivas <dims@yahoo.com> 
> wrote:
> 
> > Thanks Ted...Checked in the Patches, please cross-check.
> >
> > Also,
> > Can you please add a Client Side Handler? So that all messages are
> > "automatically" signed? One Objective is to be able to run the whole
> > automated test suite with this Handler switched on to see if anything
> > breaks in either xml-security code or in xml-axis's code. This will also
> > enable an Admin type person to ensure that SOAP messages are
> > automatically signed as the Handlers can be specified as a setup task
> > without needing to modify sources.
> 


=====
Davanum Srinivas - http://jguru.com/dims/

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Mime
View raw message