Hi, it would be nice to make some check regarding security on the SOAP message. I refer specifically to impose some constraint about security tokens used, message parts that are signed/encrypted. It's all about WS-SecurityPolicy exists :-)
For now, sadly, we have no support for Policies. I'm anyway interested for a way to impose the policies programmatically, using an Axis handler, for example. When a message arrives to the service, I'd want to firstly check: - Is the message signed? - What are the parts of message signed? (eg. I want exactly the Body and the Timestamp to be signed). - The token used for signing satisfies my requirements? (eg. is a X509 certificate? is the issuer what I want? are the subject name and subjectkeyidentifier what I want?) ...and so on... I looked around the code to find out if the information I need to check my assertions from the MessageContext in the Handler chain. I would like to write an Handler between WSDoAllReceiver and the real service. It should read some things from the MessageContext and make decisions (throw faults for example if an assertion is not satisfied). The only variables I can find in the MessageContext after WSDoAllReceiver are SND_SECURITY and RECV_RESULTS. The first contains all the (partially) processed document. The latter seems to contain informations about the Security processing, in the form of a Vector of WSSecurityEngineResult. Seems to me that, at least for the signature, I can check the cert used to sign, looking for WSSecurityEngineResult with Action = WSConstants.SIGN and accessing the Certificate property. But for other operations (like key/data encryption) the certificate is not stored in that object. Also I don't know how to check that specific parts of the message are signed/encrypted, in some simple manner. Do I have to check this "manually" using the SND_SECURITY Document? Another question: there is a way to encrypt the message using asymmetric key instead of attaching an EncryptedKey element in the security header? Thanks in advance for suggestions! Bye, Davide Romanini
