axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dimuthu Leelaratne" <dimuthu.leelara...@gmail.com>
Subject Re: [Axis2][Rampart] MTOM Attachment secure?
Date Fri, 09 Mar 2007 03:34:41 GMT
Hi Jochen Zink,

Quoted from [1]
"The most notable feature of MTOM is the use of XOP:Include element,
which is defined in XML Binary Optimized Packaging (XOP) specification
to reference the binary attachments (external unparsed general
entities) of the message. With the use of this exclusive element the
attached binary content logically become inline (by value) with the
SOAP document even though actually it is atached separately."

Therefore we assume that the MTOM attachment is inside the SOAP
Envelope and encrypt it first, just as we are encyrpting any other
SOAP element. So the produced cypher value will be base64binary. Now
if users <OptimizeParts> and indicate to Rampart that it should MTOM
serialize this Cipher value then what happens is we do a conversion
from base64binary to binary attachment.

So if you really want to check whether this is acutally encrypted or
not then copy and paste the below code on the 271th line of the
org.apache.rampart.handler.WSDoAllHandler.java in the rampart-core.
Then you can inspect the message.


OMElement omElem =  msgContext.getEnvelope();
			XMLStreamWriter writer =
XMLOutputFactory.newInstance().createXMLStreamWriter(System.out);
			omElem.serialize(writer);
			writer.flush();

I admit that we could have made everyones life easy if we had done
some propper info level loging. When you remove <OptimizeParts> and
inspect the message  by TCP monitor and if you can see that it is
Encrypted properly then you don't have to worry, because by
introducing <Optimizeparts> Axis2 only perfoms a simple conversion.


Thanks,
Dimuthu.
http://wso2.org


[1] http://ws.apache.org/axis2/0_93/mtom-guide.html



On 3/8/07, Jochen Zink <jochenlist@web.de> wrote:
> I know that rampart handels the file as binary file. :)  That is the reason, why I can
not check, that the attachment is also encrypted. If I do not write the <optimizeParts>
Element to the clients config file, I can see, that the file is encrypted. Because, there
is no binary stuff inside the message and the file ist transfered correctly.
>With <optimizeParts> It looks like, that only the soap message is
encrypted and not the attachment. But I'm not sure. I don't know a way
to check this.
>
> If anybody knows, how can I check, please let me know. Or does anybody know, that rampart
encrypted mtom attachments?!
>
> Thanks for all
>
>
> > -----Urspr√ľngliche Nachricht-----
> > Von: axis-user@ws.apache.org
> > Gesendet: 08.03.07 15:09:14
> > An: axis-user@ws.apache.org
> > Betreff: Re: [Axis2][Rampart] MTOM Attachment secure?
>
>
> > > The File is transferred correctly. But I'm not sure, that both message Parts
(the soap >Message and the attachment) are encrypted. Without rampart, I can read the XML-File
>content in clear text on tcpmon. With Rampart and sending the file with Soap With >Attachment,
its also clear text (Rampart can't secure SWA). Therefore I tried to send the >File with
mtom. Know, I can't read the xml File. But it doesn't look like an xml encryption.
> > AFAIK rampart will treat your attachment as a binary file.. It'll not
> > be aware of whether you are sending XML as the attachment...
> >
> > ~Thilina
> >
> > >If you open a binary file in an text editor, you getan similar
> > result. I don't know, how I can check that the attachment is really
> > encrypted. Has anyone an idea, how can I check, or can anyone take a
> > look to my configuration to check, if mtom attachments are surly
> > encrypted??
> > >
> > > Here are my service.xml
> > > <serviceGroup>
> > >         <service name="RampertFileService">
> > >                 <messageReceivers>
> > >                         <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"
> > >                                 class="de.nepatec.jzink.webservice.MTOMSampleMessageReceiverInOut"
/>
> > >                 </messageReceivers>
> > >                 <parameter locked="false" name="ServiceClass">
> > >                         de.nepatec.jzink.webservice.RampertFileService
> > >                 </parameter>
> > >                 <operation name="attachment"
> > >                         mep="http://www.w3.org/2004/08/wsdl/in-out">
> > >                         <actionMapping>attachment</actionMapping>
> > >                         <outputActionMapping>
> > >                                 //schemas.xmlsoap.org/wsdl/MTOMServicePortType/AttachmentResponse
> > >                         </outputActionMapping>
> > >                 </operation>
> > >
> > >                 <parameter name="enableMTOM" locked="false">true</parameter>
> > >
> > >                 <module ref="rampart" />
> > >
> > >                 <parameter name="InflowSecurity">
> > >                         <action>
> > >                                 <items>Timestamp Signature Encrypt</items>
> > >                                 <passwordCallbackClass>de.nepatec.jzink.webservice.PWCBHandler</passwordCallbackClass>
> > >                                 <signaturePropFile>service.properties</signaturePropFile>
> > >                         </action>
> > >                 </parameter>
> > >
> > >                 <parameter name="OutflowSecurity">
> > >                         <action>
> > >                                 <items>Timestamp Signature Encrypt</items>
> > >                                 <user>service</user>
> > >                                 <passwordCallbackClass>de.nepatec.jzink.webservice.PWCBHandler</passwordCallbackClass>
> > >                                 <signaturePropFile>service.properties</signaturePropFile>
> > >                                 <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > >                                 <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
> > >                                 <encryptionUser>useReqSigCert</encryptionUser>
> > >                         </action>
> > >                 </parameter>
> > >
> > >         </service>
> > > </serviceGroup>
> > >
> > >
> > > And the client configuration
> > >
> > > <module ref="rampart" />
> > >
> > >     <parameter name="OutflowSecurity">
> > >       <action>
> > >         <items>Timestamp Signature Encrypt</items>
> > >         <user>client</user>
> > >         <passwordCallbackClass>de.nepatec.jzink.webservice.client.PWCBHandler</passwordCallbackClass>
> > >         <signaturePropFile>client.properties</signaturePropFile>
> > >         <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
> > >         <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
> > >         <encryptionUser>service</encryptionUser>
> > >                   <optimizeParts>//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue</optimizeParts>
> > >       </action>
> > >     </parameter>
> > >
> > >     <parameter name="InflowSecurity">
> > >       <action>
> > >         <items>Timestamp Signature Encrypt</items>
> > >         <passwordCallbackClass>de.nepatec.jzink.webservice.client.PWCBHandler</passwordCallbackClass>
> > >         <signaturePropFile>client.properties</signaturePropFile>
> > >       </action>
> > >     </parameter>
> > >
> > >
> > > Thanks for reading!
> > >
> > >
> > >
> > >
> > > _____________________________________________________________________
> > > Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
> > > http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> >
> >
> > --
> > Thilina Gunarathne
> > WSO2, Inc.; http://www.wso2.com/
> > Home page: http://webservices.apache.org/~thilina/
> > Blog: http://thilinag.blogspot.com/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> _________________________________________________________________________
> In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten!
> Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message