Davide, a lot of questions :-).
IMHO some of your requirements could be added by improving the return data of WSSecurityEngine. Maybe we can have a discussion about it - what could/should go into this. As you have mentioned some data is already provided to the service via the result vector (btw, SND_SECURITY is as far as I can remember not usable for this because it is used for other purposes - need to check though) About your question for asymmetric encryption: this is not forseen in the OASIS specs. It is anyhow not a good idea to use asymmetric encyrption for large amount of data, usually only a session key (genetraed via random generators) is encrypted. This session key is used as key for symmetric encryptino which is much faster. There are also additional concerns about the use of asymmetrical methods for encryption (maybe you need to refer to some books here). Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Davide Romanini [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 23. Juni 2005 15:49 > An: [email protected] > Betreff: Impose policies programmatically > > > Hi, > > it would be nice to make some check regarding security on the SOAP > message. I refer specifically to impose some constraint about security > tokens used, message parts that are signed/encrypted. It's all about > WS-SecurityPolicy exists :-) > > For now, sadly, we have no support for Policies. I'm anyway interested > for a way to impose the policies programmatically, using an Axis > handler, for example. > > When a message arrives to the service, I'd want to firstly check: > - Is the message signed? > - What are the parts of message signed? (eg. I want exactly the Body > and the Timestamp to be signed). > - The token used for signing satisfies my requirements? (eg. > is a X509 > certificate? is the issuer what I want? are the subject name and > subjectkeyidentifier what I want?) > > ...and so on... > > I looked around the code to find out if the information I > need to check > my assertions from the MessageContext in the Handler chain. I > would like > to write an Handler between WSDoAllReceiver and the real service. It > should read some things from the MessageContext and make decisions > (throw faults for example if an assertion is not satisfied). > > The only variables I can find in the MessageContext after > WSDoAllReceiver are SND_SECURITY and RECV_RESULTS. The first contains > all the (partially) processed document. The latter seems to contain > informations about the Security processing, in the form of a Vector of > WSSecurityEngineResult. Seems to me that, at least for the > signature, I > can check the cert used to sign, looking for > WSSecurityEngineResult with > Action = WSConstants.SIGN and accessing the Certificate property. But > for other operations (like key/data encryption) the certificate is not > stored in that object. > > Also I don't know how to check that specific parts of the message are > signed/encrypted, in some simple manner. Do I have to check this > "manually" using the SND_SECURITY Document? > > Another question: there is a way to encrypt the message using > asymmetric > key instead of attaching an EncryptedKey element in the > security header? > > Thanks in advance for suggestions! > > Bye, > Davide Romanini > >
