Christian, Your examples use SOAP-SEC (http://www.w3.org/TR/SOAP-dsig/). There is also WS-Security (http://msdn.microsoft.com/ws/2001/10/Security/) for doing exactly the same thing and more. I do not think there is a consensus as to what is going to be widely used and neither is an accepted standard yet. It all depends on what WS framework implementations prevail.
Also, and this is really the Axis drawback, assembling a signed SOAP message using DOM is not the nicest thing to do. You could use envelope.addHeader(domElement), where domElement represents the security header which is created in same doc as the envelope. That won't be ideal either. Axis has to provide methods to request all sorts of security work done on the client and process it on the server side. Proper hooks have to be available to integrate frameworks such as xml-security. In other words, ideally, I should be able to do this on the client: ServiceClient cli = ... cli.setCridentials(... cli.setIntegrity(... cli.setConfidentiality(... cli.invoke(... The least what has to be done is to provide methods on SOAPEnvelope to create/modify/retrieve security header information (derived from SOAPHeader and with added security semantics). It just have to be decided whether it should be SOAP-SEC or WS-Security. I do not think there is a JSR for this yet, so it is all Axis internal kitchen anyways. AXIS Team, is anyone doing this right now or planning to do it? It looks like a very important piece. -- Igor Sedukhin .. ([EMAIL PROTECTED]) -- (631) 342-4325 .. 1 CA Plaza, Islandia, NY 11788 -----Original Message----- From: Christian Geuer-Pollmann [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 3:27 AM To: [EMAIL PROTECTED]; Christian Geuer-Pollmann Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Axis and security (was: Forrest Layout 1.4) Dims, I'll add two samples which can easily be modified and which relate to each other. I'll send you a notification about that. Christian --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <[EMAIL PROTECTED]> wrote: > Christian, > > Spent some time one the two samples CreateSignature.java and > VerifySignature.java. The first samples creates signature.xml and the > second one looks for hereSignature.xml....So i had to rename the > generate signature.xml and feed it to VerifySignature.java. Is this > right? If yes, i will try to spend some time tomorrow to bootstrap you > with SimpleAxisServer with a custom Handler and some client code. > > Thanks, > dims > > --- Christian Geuer-Pollmann <[EMAIL PROTECTED]> > wrote: >> Hi Davanum, >> >> I implemented the "XML Signature" spec [1] which is now available >> under [2]. The distribution contains some examples how XML Signature >> can be created and verified. These are stand-alone-examples which >> create a DOM structure, sign it and write it to a file or verify an >> existing Signature. Well, these examples are quite nice to >> demonstrate how signatures are created and verified, but I wanted to >> add code on how a SOAP message can be signed (at the client) and >> verified (at the server's side). The "SOAP Security Extensions: >> Digital Signature" [3] decribe how XML Signatures are 'embedded' >> into a SOAP message. >> >> Well, I'm not a SOAP guru and I don't want to spend weeks installing >> Tomcat and learning how to create SOAP messages. It would be nice to >> get a small 'stand-alone-client' and possibly (like Sam showed) a >> server which gives me access to the Message: The client creates a >> request, and before sending this request, I can sign it and put the >> Signature into the Envelope. The server side the same: The server >> get's a request and before processing/dispatching it, I can verify >> whether the Signature is valid (for demonstration purposes using a >> sample certificate). >> >> A second problem was: Should I provide such an example for "Apache >> SOAP" or "Apache AXIS"? >> >> Maybe this gives an idea about it. BTW; if you wanna see how such an >> example could look like: [4] >> >> Regards, >> Christian >> >> [1] http://www.w3.org/TR/xmldsig-core/ >> [2] http://xml.apache.org/security/index.html >> [3] http://www.w3.org/TR/SOAP-dsig/ >> [4] >> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache >> /xm >> l/s ecurity/samples/signature/CreateSignature.java >> >> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas >> <[EMAIL PROTECTED]> wrote: >> >> > Can you elaborate a bit more on your thoughts? An overview of how >> > you think we can make SOAP more secure using xml-security...This >> > will help generate more ideas. >> > >> > Thanks, >> > dims >> > >> > --- Sam Ruby <[EMAIL PROTECTED]> wrote: >> >> Note: I'm cross posting to Axis dev. Please continue the >> >> discussion there. >> >> >> >> Christian Geuer-Pollmann wrote: >> >> > >> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play >> >> > around with these tools. I asked soap-user and soap-dev how I >> >> > can directly access the soap message as a DOM tree to add a >> >> > SOAP-SECURITY signature. Unfortunately no response. I want to >> >> > add an example to xml-security how a SOAP message can be signed >> >> > and this signature can be verified according to [1]. If there is >> >> > someone out there who can show me how to create a simple SOAP >> >> > msg using AXIS and how I can modify the resulting DOM tree, I'll >> >> > provide this example. The only thing that stopped me was >> >> > installing tomcat and all these things. --------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
