axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <oliver.wu...@zurich.ch>
Subject Antwort: RE: question regarding WSDL and WS-Security
Date Sun, 11 Jan 2004 12:30:50 GMT




The spec from Microsoft and IBM is now under control from OASIS:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

Oliver

******************************************************************
Oliver Wulff
Zürich Versicherungs-Gesellschaft
IA4, CoC Middleware
Postfach, 8085 Zürich
Telefon: +41- 1 628 58 07
Fax: +41 - 1 623 58 07
E-Mail: mailto:oliver.wulff@zurich.ch



                                                                                         
                                                    
                      thomas.cherel@ascentials                                           
                                                    
                      oftware.com                     An:       axis-user@ws.apache.org  
                                                    
                                                      Kopie:                             
                                                    
                      10.01.2004 19:11                Thema:    RE: question regarding WSDL
and WS-Security                                   
                      Bitte antworten an                                                 
                                                    
                      axis-user                                                          
                                                    
                                                                                         
                                                    
                                                                                         
                                                    





Take a look at WS-Policy
(http://www-106.ibm.com/developerworks/library/ws-polfram/) and
WS-SecurityPolicy
(http://www-106.ibm.com/developerworks/webservices/library/ws-secpol/).

The former defines the framework to add service policy information to the
WSDL or UDDI entry of a web service.
The later uses this framework to define the policy related to WS-Security.

Thomas

-----Original Message-----
From: Ricky Ho [mailto:riho@cisco.com]
Sent: Friday, January 09, 2004 5:00 PM
To: axis-user@ws.apache.org
Subject: Re: question regarding WSDL and WS-Security


Here is what I'm thinking ...

WSDL Binding have some extensibility that you can declare which part to
encrypt.  But I probably will go with another route, describe as follows
...

There is a WSDL and WS-Policy, which part to be encrypted will be described
in the WS-Policy.

The communication path will look like ...
ClientApp -> ClientSideGateway -> Network -> ServerSideGateway -> ServerApp

ClientApp & ServerApp - cares only WSDL
ClientSideGateway & ServerSideGateway - cares only WS-Policy

Rgds, Ricky

At 01:30 PM 1/9/2004 -0800, Shantanu Sen wrote:
>Suppose I have a method that I want to expose as a web-service. I can
>generate a WSDL that describes the service end-point, format etc.
>Supppose I expect that one or more parameters of this method will be
>encrypted , and my service will also return an
>encrypted string which I expect the client to decrypt.
>
>
>How would I go about describing this to the client?
>Clearly, I need to supply something more than a WSDL
>document to the client. Even if the client has an
>underlying infrastructure (e.g. a security gateway) it
>needs some sort of information. Does WS-Policy provide
>  that?
>
>Thanks,
>Shantanu Sen
>--- Ricky Ho <riho@cisco.com> wrote:
> > There is a nice separation between application
> > processing and
> > infrastructure processing.  WSDL describes the
> > former and WS-Policy
> > describe the later.
> >
> > If you are writing application code, you shouldn't
> > care about WS-Policy
> > (and WS-Security), you only care about WSDL.  The underlying
> > infrastructure (e.g. a security gateway) should take care about
> > this for you.
> >
> > However, it you are writing the intermediary code
> > doing infrastructrure
> > processing, then you shouldn't care about WSDL.
> > Instead you should deal
> > with WS-Policy which is a less mature area (you
> > probably need to do some
> > proprietary policy exchange handshaking).
> >
> > Rgds, Ricky
> >
> > At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote:
> > >Please point me to the correct forum if you know
> > where
> > >I should post this question.
> > >
> > >As far as I know, currently there is no extension
> > in
> > >WSDL  for WS-Security. In other words, looking at a
> > >WSDL there is no way to figure out if the service
> > >expects security information as specified in
> > >WS-Security in the header/body of the SOAP
> > envelope.
> > >
> > >If this is true, how does a client know how to send
> > >the correct SOAP message to the service i.e. how
> > does
> > >it know to add the required security info?
> > >
> > >Thanks for any info regarding this.
> > >
> > >Shantanu Sen
 > >








 ******************* BITTE BEACHTEN *******************
 Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
 möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
 Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
 genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
 irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
 Ausschluss jeder Reproduktion zu zerstören und die absendende Person
 umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.


Mime
View raw message