axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deepal jayasinghe <deep...@gmail.com>
Subject Re: [axis2] Re: svn commit: r559011 - in /webservices/axis2/trunk/java/modules: addressing/src/META-INF/ integration/conf/ integration/test-resources/deployment/ integration/test-resources/mtom/ integration/test-resources/swa/ integration/test/org/ap
Date Mon, 30 Jul 2007 08:10:05 GMT
David Illsley wrote:
> Ah, the perrenial ws-sec+ws-a problem.
> This is a really complex issue, and unfortunately I don't think it can
> be resolved this simply i.e. what happens if security rejects the ws-a
> headers as invalid? 
Then security will throws an exception when the message reach to
security handler.
> There isn't any code to roll-back the ws-a related
> fields in the message context, so suddenly one of the main reasons to
> require signed ws-a headers (preventing your server from being used to
> DoS via ReplyTo) is bypassed.
>
> I think we probably need to split the addressing processing itself
> into 2 parts - the first which provides a guess of the AxisOperation
> based onthe To/Action/RelatesTo and the second which does the full
> ws-a processing (afer the security handler).
>   
+1
> Do you have a list of use-cases you're trying to support?
> David
>
> On 27/07/07, Deepal jayasinghe <deepalk@gmail.com> wrote:
>   
>> In the case of WS-Security there are instance that the only way to
>> dispatch is using addressing , and service and operation must be found
>> before running the security handlers. If you take transport like SMTP
>> the only way to dispatch is using addressing so we need to run
>> addressing before security.
>>
>> May be Ruchith can add some more infor into this.
>>
>> Thanks
>> Deepal
>>     


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message