axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dittmann Werner <>
Subject AW: [Axis2] Support for WSS4J ?
Date Mon, 07 Mar 2005 08:07:20 GMT

well I'm somewhat familiar with the WSS4J implementation. First
of all I would emphasize that WSS4J falls into two parts
- one part that is (should be) independent of Axis or any other
  SOAP implementation. This part handles all the necessary
  signing, encryption, certificate stuff. This part makes heavy
  use of the Apache XML security lib (xmlsec), also quite some DOM
  is involved because WSS4J needs to re-create the SOAP message 
  that was created by Axis (or another SOAP implementation) firsthand.
- the second part consists of Axis (also a JAX-RPC) handlers that
  plugin into the message path both on the client and the server
  side. This part call functions of the independent part of WSS4J.

Thus the message flow is as follows (client part):

Axis kernel  --> WSS4J JAX-RPC/Axis handler --> WSS4J modules --> wire

Between the Axis kernel and the WSS4J Axis handler there may be 
some other handlers. It is however necessary that the WSS4J handler
is the last one in the chain because after WSS handling the
message _must_ not be altered if the message was signed (at least
those parts which were signed must not be chanaged). Also it is
somewhat difficult to modify the message after it was encrypted.

The message flow at the receiver is mirrored (WSS4J shall be the
first handler in the chain). The WSS4J Axis handler (also the 
JAX-RPC handler) don't use DOM very much.

Another notable remark:
WSS4J Axis handlers rely on the way how Axis performs serialization
of messages.

The Axis WSS4J handler gets the SOAP message generated by Axis as DOM
document. Here a quote from the WSS4J Axis handler inline comments:

 * Now get the SOAP part from the request message and convert it into a
 * Document.
 * This forces Axis to serialize the SOAP request into FORM_STRING.
 * This string is converted into a document.
 * During the FORM_STRING serialization Axis performs multi-ref of
 * complex data types (if requested), generates and inserts references
 * for attachements and so on. The resulting Document MUST be the
 * complete and final SOAP request as Axis would send it over the wire.
 * Therefore this shall be the last (or only) handler in a chain.

After the handler got the SOAP request as DOM it hands it over to the
WSS4J security functions. They perform signature/encryption as requested.
The resulting DOM document is then taken by the WSS4J Axis handler,
transformed into a byte stream (using xmlsec helper functions) and then
_replaces_ the original Axis SOAP request with the newly generated
message. To do this WSS4J sets this new message as FORM_BYTES:
            ByteArrayOutputStream os = new ByteArrayOutputStream();
            XMLUtils.outputDOM(doc, os, true);
            sPart.setCurrentMessage(os.toByteArray(), SOAPPart.FORM_BYTES);
(sPart is the SOAP part of the Axis message).

The receiver side works similar. If the new Axis implementation changes this
behaviour then the WSS4J Axis handlers (and maybe the JAX-RPC handler) may need
some rework. The JAX-RPC handler uses _no_ Axis SOAP but JAX-RPC only. This
handler also uses slightly different ways to convert SOAP messages into DOM
and vice versa. It also use standard JX-RPC functions to set the current

Hope this helps.


> -----Ursprüngliche Nachricht-----
> Von: Ajith Ranabahu [] 
> Gesendet: Montag, 7. März 2005 05:21
> An:;
> Betreff: Re: [Axis2] Support for WSS4J ?
> Hi,
> Thanks for the info. I guess the older code is still in the scratch
> area and will be handy for me to have a look at it.
> BTW I would very much appreciate if a WSS4J expert can give me a hint
> as to what to look for.
> On Mon, 7 Mar 2005 10:14:10 +0600, Eran Chinthaka
> <> wrote:
> > Ajith,
> > 
> > Once I implemented a bit of w3c DOM on top of OM, but I 
> gave it up, since it
> > was not urgent at that time.
> > 
> > Anyway, I think it's better to implement only the parts 
> that are required
> > for wss4j, for now. Meaning, IMO, we do not need to 
> implement the whole DOM
> > API now, as far as the WSS4J is concerned. (Do We ??). And 
> since OM doesn't
> > have full infoset support, you can not implement whole DOM 
> API anyway.
> > 
> > But later we can complete the shim DOM to support the full DOM API.
> > 
> > -- Eran Chinthaka
> > 
> > -----Original Message-----
> > From: Ajith Ranabahu []
> > Sent: Monday, March 07, 2005 9:58 AM
> > To: Axis developer list
> > Subject: [Axis2] Support for WSS4J ?
> > 
> > Hi all,
> > As far as the security aspect is concerned, I suppose we 
> are going to
> > incorporate WSS4J as a module.
> > To make this a success we need a "shim" DOM over OM and I'm looking
> > into WSS4J and related items these days.
> > 
> > Any suggestions ?
> > 
> > --
> > Ajith Ranabahu
> > 
> > 
> -- 
> Ajith Ranabahu

View raw message