xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sedukhin, Igor" <Igor.Seduk...@ca.com>
Subject RE: Axis and security
Date Tue, 08 Jan 2002 23:25:50 GMT

Your examples use SOAP-SEC (http://www.w3.org/TR/SOAP-dsig/). There is also WS-Security (http://msdn.microsoft.com/ws/2001/10/Security/)
for doing exactly the same thing and more. I do not think there is a consensus as to what
is going to be widely used and neither is an accepted standard yet. It all depends on what
WS framework implementations prevail.

Also, and this is really the Axis drawback, assembling a signed SOAP message using DOM is
not the nicest thing to do. You could use envelope.addHeader(domElement), where domElement
represents the security header which is created in same doc as the envelope. That won't be
ideal either.

Axis has to provide methods to request all sorts of security work done on the client and process
it on the server side. Proper hooks have to be available to integrate frameworks such as xml-security.
In other words, ideally, I should be able to do this on the client:
 ServiceClient cli = ...

The least what has to be done is to provide methods on SOAPEnvelope to create/modify/retrieve
security header information (derived from SOAPHeader and with added security semantics). It
just have to be decided whether it should be SOAP-SEC or WS-Security. I do not think there
is a JSR for this yet, so it is all Axis internal kitchen anyways.

AXIS Team, is anyone doing this right now or planning to do it? It looks like a very important

-- Igor Sedukhin .. (Igor.Sedukhin@ca.com)
-- (631) 342-4325 .. 1 CA Plaza, Islandia, NY 11788

-----Original Message-----
From: Christian Geuer-Pollmann [mailto:maillist@nue.et-inf.uni-siegen.de] 
Sent: Tuesday, January 08, 2002 3:27 AM
To: dims@yahoo.com; Christian Geuer-Pollmann
Cc: axis-dev@xml.apache.org; general@xml.apache.org
Subject: Re: Axis and security (was: Forrest Layout 1.4)


I'll add two samples which can easily be modified and which relate to each 
other. I'll send you a notification about that.


--On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <dims@yahoo.com> 

> Christian,
> Spent some time one the two samples CreateSignature.java and 
> VerifySignature.java. The first samples creates signature.xml and the 
> second one looks for hereSignature.xml....So i had to rename the 
> generate signature.xml and feed it to VerifySignature.java. Is this 
> right? If yes, i will try to spend some time tomorrow to bootstrap you 
> with SimpleAxisServer with a custom Handler and some client code.
> Thanks,
> dims
> --- Christian Geuer-Pollmann <maillist@nue.et-inf.uni-siegen.de> 
> wrote:
>> Hi Davanum,
>> I implemented the "XML Signature" spec [1] which is now available 
>> under [2]. The distribution contains some examples how XML Signature 
>> can be created and verified. These are stand-alone-examples which 
>> create a DOM structure, sign it and write it to a file or verify an 
>> existing Signature.  Well, these examples are quite nice to 
>> demonstrate how signatures are  created and verified, but I wanted to 
>> add code on how a SOAP message can be  signed (at the client) and 
>> verified (at the server's side). The "SOAP  Security Extensions: 
>> Digital Signature" [3] decribe how XML Signatures are  'embedded' 
>> into a SOAP message.
>> Well, I'm not a SOAP guru and I don't want to spend weeks installing 
>> Tomcat  and learning how to create SOAP messages. It would be nice to 
>> get a small  'stand-alone-client' and possibly (like Sam showed) a 
>> server which gives me  access to the Message: The client creates a 
>> request, and before sending  this request, I can sign it and put the 
>> Signature into the Envelope. The  server side the same: The server 
>> get's a request and before processing/dispatching it, I can verify 
>> whether the Signature is valid (for  demonstration purposes using a 
>> sample certificate).
>> A second problem was: Should I provide such an example for "Apache 
>> SOAP" or  "Apache AXIS"?
>> Maybe this gives an idea about it. BTW; if you wanna see how such an 
>> example could look like: [4]
>> Regards,
>> Christian
>> [1] http://www.w3.org/TR/xmldsig-core/
>> [2] http://xml.apache.org/security/index.html
>> [3] http://www.w3.org/TR/SOAP-dsig/
>> [4] 
>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache
>> /xm
>> l/s ecurity/samples/signature/CreateSignature.java
>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas 
>> <dims@yahoo.com>  wrote:
>> > Can you elaborate a bit more on your thoughts? An overview of how 
>> > you think we can make SOAP more secure using xml-security...This 
>> > will help generate more ideas.
>> >
>> > Thanks,
>> > dims
>> >
>> > --- Sam Ruby <rubys@us.ibm.com> wrote:
>> >> Note: I'm cross posting to Axis dev.  Please continue the 
>> >> discussion there.
>> >>
>> >> Christian Geuer-Pollmann wrote:
>> >> >
>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play 
>> >> > around with these tools. I asked soap-user and soap-dev how I 
>> >> > can directly access the soap message as a DOM tree to add a 
>> >> > SOAP-SECURITY signature. Unfortunately no response. I want to 
>> >> > add an example to xml-security how a SOAP message can be signed 
>> >> > and this signature can be verified according to [1]. If there is 
>> >> > someone out there who can show me how to create a simple SOAP 
>> >> > msg using AXIS and how I can modify the resulting DOM tree, I'll 
>> >> > provide this example. The only thing that stopped me was 
>> >> > installing tomcat and all these things.

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message