Hi Werner Yes, Your explanations are extremely useful. Thank you very much for the quick response. Will post my progress on this mailing list
Ajith On Mon, 7 Mar 2005 09:07:20 +0100, Dittmann Werner <[EMAIL PROTECTED]> wrote: > Hi, > > well I'm somewhat familiar with the WSS4J implementation. First > of all I would emphasize that WSS4J falls into two parts > - one part that is (should be) independent of Axis or any other > SOAP implementation. This part handles all the necessary > signing, encryption, certificate stuff. This part makes heavy > use of the Apache XML security lib (xmlsec), also quite some DOM > is involved because WSS4J needs to re-create the SOAP message > that was created by Axis (or another SOAP implementation) firsthand. > - the second part consists of Axis (also a JAX-RPC) handlers that > plugin into the message path both on the client and the server > side. This part call functions of the independent part of WSS4J. > > Thus the message flow is as follows (client part): > > Axis kernel --> WSS4J JAX-RPC/Axis handler --> WSS4J modules --> wire > > Between the Axis kernel and the WSS4J Axis handler there may be > some other handlers. It is however necessary that the WSS4J handler > is the last one in the chain because after WSS handling the > message _must_ not be altered if the message was signed (at least > those parts which were signed must not be chanaged). Also it is > somewhat difficult to modify the message after it was encrypted. > > The message flow at the receiver is mirrored (WSS4J shall be the > first handler in the chain). The WSS4J Axis handler (also the > JAX-RPC handler) don't use DOM very much. > > Another notable remark: > WSS4J Axis handlers rely on the way how Axis performs serialization > of messages. > > The Axis WSS4J handler gets the SOAP message generated by Axis as DOM > document. Here a quote from the WSS4J Axis handler inline comments: > > * Now get the SOAP part from the request message and convert it into a > * Document. > * > * This forces Axis to serialize the SOAP request into FORM_STRING. > * This string is converted into a document. > * > * During the FORM_STRING serialization Axis performs multi-ref of > * complex data types (if requested), generates and inserts references > * for attachements and so on. The resulting Document MUST be the > * complete and final SOAP request as Axis would send it over the wire. > * Therefore this shall be the last (or only) handler in a chain. > > After the handler got the SOAP request as DOM it hands it over to the > WSS4J security functions. They perform signature/encryption as requested. > The resulting DOM document is then taken by the WSS4J Axis handler, > transformed into a byte stream (using xmlsec helper functions) and then > _replaces_ the original Axis SOAP request with the newly generated > message. To do this WSS4J sets this new message as FORM_BYTES: > .... > ByteArrayOutputStream os = new ByteArrayOutputStream(); > XMLUtils.outputDOM(doc, os, true); > sPart.setCurrentMessage(os.toByteArray(), SOAPPart.FORM_BYTES); > .... > (sPart is the SOAP part of the Axis message). > > The receiver side works similar. If the new Axis implementation changes this > behaviour then the WSS4J Axis handlers (and maybe the JAX-RPC handler) may > need > some rework. The JAX-RPC handler uses _no_ Axis SOAP but JAX-RPC only. This > handler also uses slightly different ways to convert SOAP messages into DOM > and vice versa. It also use standard JX-RPC functions to set the current > message. > > Hope this helps. > > Regards, > Werner > > > -----Urspr�ngliche Nachricht----- > > Von: Ajith Ranabahu [mailto:[EMAIL PROTECTED] > > Gesendet: Montag, 7. M�rz 2005 05:21 > > An: [email protected]; [EMAIL PROTECTED] > > Betreff: Re: [Axis2] Support for WSS4J ? > > > > > > Hi, > > Thanks for the info. I guess the older code is still in the scratch > > area and will be handy for me to have a look at it. > > BTW I would very much appreciate if a WSS4J expert can give me a hint > > as to what to look for. > > > > > > On Mon, 7 Mar 2005 10:14:10 +0600, Eran Chinthaka > > <[EMAIL PROTECTED]> wrote: > > > Ajith, > > > > > > Once I implemented a bit of w3c DOM on top of OM, but I > > gave it up, since it > > > was not urgent at that time. > > > > > > Anyway, I think it's better to implement only the parts > > that are required > > > for wss4j, for now. Meaning, IMO, we do not need to > > implement the whole DOM > > > API now, as far as the WSS4J is concerned. (Do We ??). And > > since OM doesn't > > > have full infoset support, you can not implement whole DOM > > API anyway. > > > > > > But later we can complete the shim DOM to support the full DOM API. > > > > > > -- Eran Chinthaka > > > > > > -----Original Message----- > > > From: Ajith Ranabahu [mailto:[EMAIL PROTECTED] > > > Sent: Monday, March 07, 2005 9:58 AM > > > To: Axis developer list > > > Subject: [Axis2] Support for WSS4J ? > > > > > > Hi all, > > > As far as the security aspect is concerned, I suppose we > > are going to > > > incorporate WSS4J as a module. > > > To make this a success we need a "shim" DOM over OM and I'm looking > > > into WSS4J and related items these days. > > > > > > Any suggestions ? > > > > > > -- > > > Ajith Ranabahu > > > > > > > > > > > > -- > > Ajith Ranabahu > > > -- Ajith Ranabahu
