You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Sam Ruby <ru...@us.ibm.com> on 2002/01/06 11:59:25 UTC
Axis and security (was: Forrest Layout 1.4)
Note: I'm cross posting to Axis dev. Please continue the discussion there.
Christian Geuer-Pollmann wrote:
>
> I'm not an Apache SOAP/AXIS user, so it was hard for me to play around with
> these tools. I asked soap-user and soap-dev how I can directly access the
> soap message as a DOM tree to add a SOAP-SECURITY signature. Unfortunately
> no response. I want to add an example to xml-security how a SOAP message
> can be signed and this signature can be verified according to [1]. If there
> is someone out there who can show me how to create a simple SOAP msg using
> AXIS and how I can modify the resulting DOM tree, I'll provide this
> example. The only thing that stopped me was installing tomcat and all these
> things.
See:
http://cvs.apache.org/viewcvs.cgi/xml-axis/java/samples/message/
While the installation documents are written assuming you will be
targetting a servlet engine:
http://cvs.apache.org/viewcvs.cgi/~checkout~/xml-axis/java/docs/install.html
... you can develop and debug using your classpath and a standalone
version:
http://cvs.apache.org/viewcvs.cgi/~checkout~/xml-axis/java/src/org/apache/axis/transport/http/SimpleAxisServer.java
Note: while this is enough to get you started, the real problem to be
solved is a bit more involved. See http://www.w3.org/TR/SOAP-dsig/ . What
you probably want to do is to define a handler. An existing handler that
treats the message as a whole can be found at:
http://cvs.apache.org/viewcvs.cgi/~checkout~/xml-axis/java/src/org/apache/axis/handlers/LogHandler.java
And while to choses to get the message as a string, you can also call the
getAsDOM method on the SOAPEnvelope:
http://nagoya.apache.org/gump/javadoc/xml-axis/java/build/javadocs/org/apache/axis/message/SOAPEnvelope.html
If you would like to see what the finished result would look like, see:
http://www.alphaworks.ibm.com/tech/webservicestoolkit/
- Sam Ruby
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>.
Hi Farrukh,
--On Dienstag, 8. Januar 2002 13:52 -0500 Farrukh Najmi
<Fa...@Sun.COM> wrote:
> I did an update of my xml-security workspace to get these examples and
> then tried to build the test target. I got compile errors. BTW is there a
> miling list where I can subscribe for xml-security?
About the compilation errors:
EncryptionMethodSpi.java:69: package
org.apache.xml.security.algorithms.encryption.params
sounds like that the CVS update did not work correctly because the
directory exists on CVS [1].
The mailing list is security-dev@xml.apache.org [2]
Christian
[1]
http://cvs.apache.org/viewcvs.cgi/xml-security/src/org/apache/xml/security/
algorithms/encryption/params/
[2] http://xml.apache.org/mail.html
mailto:security-dev-subscribe@xml.apache.org
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>.
Dims,
> information for security-dev@xml.apache.org mailing list. You can view
> the archives at
> http://marc.theaimsgroup.com/?l=xml-security-dev&r=1&w=2.
The archives are _NOT_ up-to-date. It took very long until the archival
started and they stopped at 2001-11-01 ;-( (And there is no way to peek
somebody to let the archival continue).
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Davanum Srinivas <di...@yahoo.com>.
Farrukh,
please try the "clean" target and try once again. I just tried it. Also, see bottom of the
http://xml.apache.org/mail.html page for subscription information for security-dev@xml.apache.org
mailing list. You can view the archives at
http://marc.theaimsgroup.com/?l=xml-security-dev&r=1&w=2.
Thanks,
dims
------------------------------------------------------------------
D:\jakarta\xml-security>java -classpath
;\jdk13\lib\tools.jar;\jakarta\xml-cocoon2\lib\xerces-1.4.4.jar;\jakarta\xml-cocoon2\lib\xml-apis.jar;\jakarta\xml-cocoon2\lib\ant_1_4.jar;\jakarta\xml-cocoon2\lib\ant_1_4-optional.jar;\jakarta\xml-cocoon2\lib\junit.jar
org.apache.tools.ant.Main test
Buildfile: build.xml
init:
[echo] ---------------- Apache-XML-Security 0.0.1 [1999-2001] ---------------
prepare:
[mkdir] Created dir: D:\jakarta\xml-security\classes
get-jce:
compile.library:
[javac] Compiling 154 source files to D:\jakarta\xml-security\classes
[copy] Copying 3 files to D:\jakarta\xml-security\classes
compile.tests:
[javac] Compiling 25 source files to D:\jakarta\xml-security\classes
[copy] Copying 1 file to D:\jakarta\xml-security\classes
test:
[junit] .........................................
[junit] .........................................
[junit] ......................
[junit] Time: 36.843
[junit]
[junit] OK (104 tests)
[junit]
BUILD SUCCESSFUL
Total time: 54 seconds
------------------------------------------------------------------
--- Farrukh Najmi <Fa...@Sun.COM> wrote:
> Christian,
>
> I did an update of my xml-security workspace to get these examples and then
> tried to build the test target. I got compile errors. BTW is there a miling
> list where I can subscribe for xml-security?
>
> + [ -z c:/jdk1.3 ]
> + JAVACMD=c:/jdk1.3/bin/java
> + SEP=;
> +
> cp=./libs/xerces-1_4_4.jar;c:/osws/ebxmlrr/misc/lib/ant.jar;c:/jdk1.3/lib/tools.jar
>
> + c:/jdk1.3/bin/java -classpath
> ./libs/xerces-1_4_4.jar;c:/osws/ebxmlrr/misc/lib/ant.jar;c:/jdk1.3/lib/tools.jar
> org.apache.tools.ant.Main test
> Searching for build.xml ...
> Buildfile: C:\apache\xml-security\build.xml
>
> init:
> ---------------- Apache-XML-Security 0.0.1 [1999-2001] ---------------
>
> prepare:
>
> get-jce:
>
> compile.library:
> [javac] Compiling 13 source files to C:\apache\xml-security\classes
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:72:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: package params
> [javac] .EncryptionMethodParams;
> [javac] ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:69:
> package org.apache.xml.security.algorithms.encryption.params does not exist
> [javac] import org.apache.xml.security.algorithms.encryption.params.*;
> [javac] ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:99:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: class
> org.apache.xml.security.algorithms.encryption.EncryptionMethod
> [javac] EncryptionMethodParams _encMethodParams = null;
> [javac] ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:155:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: class
> org.apache.xml.security.algorithms.encryption.EncryptionMethod
> [javac] Document doc, String algorithmURI,
> EncryptionMethodParams params)
> [javac] ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:420:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: class
> org.apache.xml.security.algorithms.encryption.EncryptionMethod
> [javac] public EncryptionMethodParams getParams() {
> [javac] ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:147:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: class
> org.apache.xml.security.algorithms.encryption.EncryptionMethodSpi
> [javac] public abstract EncryptionMethodParams engineInit(Document doc,
> EncryptionMethodParams params)
> [javac]
> ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:147:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: class
> org.apache.xml.security.algorithms.encryption.EncryptionMethodSpi
> [javac] public abstract EncryptionMethodParams engineInit(Document doc,
> EncryptionMethodParams params)
> [javac] ^
> [javac]
>
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:149:
> cannot resolve symbol
> [javac] symbol : class EncryptionMethodParams
> [javac] location: class
> org.apache.xml.security.algorithms.encryption.EncryptionMethodSpi
> [javac] public abstract EncryptionMethodParams engineInit(Element
> encryptionMethodElem)
> [javac] ^
> [javac] 8 errors
>
> BUILD FAILED
>
> C:\apache\xml-security\build.xml:150: Compile failed, messages should have been
> provided.
>
> Total time: 6 seconds
> + set +x
>
> Note that I had modified build.xml to use standard java compiler instead of
> jikes:
>
> <!--
> <property name="build.compiler" value="classic"/>
> <property name="build.compiler" value="jikes" />
> -->
>
>
>
> Christian Geuer-Pollmann wrote:
>
> > Dims,
> >
> > I'll add two samples which can easily be modified and which relate to each
> > other. I'll send you a notification about that.
> >
> > Christian
> >
> > --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
> > wrote:
> >
> > > Christian,
> > >
> > > Spent some time one the two samples CreateSignature.java and
> > > VerifySignature.java. The first samples creates signature.xml and the
> > > second one looks for hereSignature.xml....So i had to rename the generate
> > > signature.xml and feed it to VerifySignature.java. Is this right? If yes,
> > > i will try to spend some time tomorrow to bootstrap you with
> > > SimpleAxisServer with a custom Handler and some client code.
> > >
> > > Thanks,
> > > dims
> > >
> > > --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
> > >> Hi Davanum,
> > >>
> > >> I implemented the "XML Signature" spec [1] which is now available under
> > >> [2]. The distribution contains some examples how XML Signature can be
> > >> created and verified. These are stand-alone-examples which create a DOM
> > >> structure, sign it and write it to a file or verify an existing
> > >> Signature. Well, these examples are quite nice to demonstrate how
> > >> signatures are created and verified, but I wanted to add code on how a
> > >> SOAP message can be signed (at the client) and verified (at the
> > >> server's side). The "SOAP Security Extensions: Digital Signature" [3]
> > >> decribe how XML Signatures are 'embedded' into a SOAP message.
> > >>
> > >> Well, I'm not a SOAP guru and I don't want to spend weeks installing
> > >> Tomcat and learning how to create SOAP messages. It would be nice to
> > >> get a small 'stand-alone-client' and possibly (like Sam showed) a
> > >> server which gives me access to the Message: The client creates a
> > >> request, and before sending this request, I can sign it and put the
> > >> Signature into the Envelope. The server side the same: The server get's
> > >> a request and before
> > >> processing/dispatching it, I can verify whether the Signature is valid
> > >> (for demonstration purposes using a sample certificate).
> > >>
> > >> A second problem was: Should I provide such an example for "Apache SOAP"
> > >> or "Apache AXIS"?
> > >>
> > >> Maybe this gives an idea about it. BTW; if you wanna see how such an
> > >> example could look like: [4]
> > >>
> > >> Regards,
> > >> Christian
> > >>
> > >> [1] http://www.w3.org/TR/xmldsig-core/
> > >> [2] http://xml.apache.org/security/index.html
> > >> [3] http://www.w3.org/TR/SOAP-dsig/
> > >> [4]
> > >> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
> > >> l/s ecurity/samples/signature/CreateSignature.java
> > >>
> > >> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
> > >> <di...@yahoo.com> wrote:
> > >>
> > >> > Can you elaborate a bit more on your thoughts? An overview of how you
> > >> > think we can make SOAP more secure using xml-security...This will help
> > >> > generate more ideas.
> > >> >
> > >> > Thanks,
> > >> > dims
> > >> >
> > >> > --- Sam Ruby <ru...@us.ibm.com> wrote:
> > >> >> Note: I'm cross posting to Axis dev. Please continue the discussion
> > >> >> there.
> > >> >>
> > >> >> Christian Geuer-Pollmann wrote:
> > >> >> >
> > >> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
> > >> >> > around with these tools. I asked soap-user and soap-dev how I can
> > >> >> > directly access the soap message as a DOM tree to add a
> > >> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
> > >> >> > an example to xml-security how a SOAP message can be signed and
> > >> >> > this signature can be verified according to [1]. If there is
> > >> >> > someone out there who can show me how to create a simple SOAP msg
> > >> >> > using AXIS and how I can modify the resulting DOM tree, I'll
> > >> >> > provide this example. The only thing that stopped me was installing
> > >> >> > tomcat and all these things.
>
=== message truncated ===
=====
Davanum Srinivas - http://jguru.com/dims/
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Farrukh Najmi <Fa...@Sun.COM>.
Christian,
I did an update of my xml-security workspace to get these examples and then
tried to build the test target. I got compile errors. BTW is there a miling
list where I can subscribe for xml-security?
+ [ -z c:/jdk1.3 ]
+ JAVACMD=c:/jdk1.3/bin/java
+ SEP=;
+
cp=./libs/xerces-1_4_4.jar;c:/osws/ebxmlrr/misc/lib/ant.jar;c:/jdk1.3/lib/tools.jar
+ c:/jdk1.3/bin/java -classpath
./libs/xerces-1_4_4.jar;c:/osws/ebxmlrr/misc/lib/ant.jar;c:/jdk1.3/lib/tools.jar
org.apache.tools.ant.Main test
Searching for build.xml ...
Buildfile: C:\apache\xml-security\build.xml
init:
---------------- Apache-XML-Security 0.0.1 [1999-2001] ---------------
prepare:
get-jce:
compile.library:
[javac] Compiling 13 source files to C:\apache\xml-security\classes
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:72:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: package params
[javac] .EncryptionMethodParams;
[javac] ^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:69:
package org.apache.xml.security.algorithms.encryption.params does not exist
[javac] import org.apache.xml.security.algorithms.encryption.params.*;
[javac] ^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:99:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: class
org.apache.xml.security.algorithms.encryption.EncryptionMethod
[javac] EncryptionMethodParams _encMethodParams = null;
[javac] ^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:155:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: class
org.apache.xml.security.algorithms.encryption.EncryptionMethod
[javac] Document doc, String algorithmURI,
EncryptionMethodParams params)
[javac] ^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethod.java:420:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: class
org.apache.xml.security.algorithms.encryption.EncryptionMethod
[javac] public EncryptionMethodParams getParams() {
[javac] ^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:147:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: class
org.apache.xml.security.algorithms.encryption.EncryptionMethodSpi
[javac] public abstract EncryptionMethodParams engineInit(Document doc,
EncryptionMethodParams params)
[javac]
^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:147:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: class
org.apache.xml.security.algorithms.encryption.EncryptionMethodSpi
[javac] public abstract EncryptionMethodParams engineInit(Document doc,
EncryptionMethodParams params)
[javac] ^
[javac]
C:\apache\xml-security\src\org\apache\xml\security\algorithms\encryption\EncryptionMethodSpi.java:149:
cannot resolve symbol
[javac] symbol : class EncryptionMethodParams
[javac] location: class
org.apache.xml.security.algorithms.encryption.EncryptionMethodSpi
[javac] public abstract EncryptionMethodParams engineInit(Element
encryptionMethodElem)
[javac] ^
[javac] 8 errors
BUILD FAILED
C:\apache\xml-security\build.xml:150: Compile failed, messages should have been
provided.
Total time: 6 seconds
+ set +x
Note that I had modified build.xml to use standard java compiler instead of
jikes:
<!--
<property name="build.compiler" value="classic"/>
<property name="build.compiler" value="jikes" />
-->
Christian Geuer-Pollmann wrote:
> Dims,
>
> I'll add two samples which can easily be modified and which relate to each
> other. I'll send you a notification about that.
>
> Christian
>
> --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
> wrote:
>
> > Christian,
> >
> > Spent some time one the two samples CreateSignature.java and
> > VerifySignature.java. The first samples creates signature.xml and the
> > second one looks for hereSignature.xml....So i had to rename the generate
> > signature.xml and feed it to VerifySignature.java. Is this right? If yes,
> > i will try to spend some time tomorrow to bootstrap you with
> > SimpleAxisServer with a custom Handler and some client code.
> >
> > Thanks,
> > dims
> >
> > --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
> >> Hi Davanum,
> >>
> >> I implemented the "XML Signature" spec [1] which is now available under
> >> [2]. The distribution contains some examples how XML Signature can be
> >> created and verified. These are stand-alone-examples which create a DOM
> >> structure, sign it and write it to a file or verify an existing
> >> Signature. Well, these examples are quite nice to demonstrate how
> >> signatures are created and verified, but I wanted to add code on how a
> >> SOAP message can be signed (at the client) and verified (at the
> >> server's side). The "SOAP Security Extensions: Digital Signature" [3]
> >> decribe how XML Signatures are 'embedded' into a SOAP message.
> >>
> >> Well, I'm not a SOAP guru and I don't want to spend weeks installing
> >> Tomcat and learning how to create SOAP messages. It would be nice to
> >> get a small 'stand-alone-client' and possibly (like Sam showed) a
> >> server which gives me access to the Message: The client creates a
> >> request, and before sending this request, I can sign it and put the
> >> Signature into the Envelope. The server side the same: The server get's
> >> a request and before
> >> processing/dispatching it, I can verify whether the Signature is valid
> >> (for demonstration purposes using a sample certificate).
> >>
> >> A second problem was: Should I provide such an example for "Apache SOAP"
> >> or "Apache AXIS"?
> >>
> >> Maybe this gives an idea about it. BTW; if you wanna see how such an
> >> example could look like: [4]
> >>
> >> Regards,
> >> Christian
> >>
> >> [1] http://www.w3.org/TR/xmldsig-core/
> >> [2] http://xml.apache.org/security/index.html
> >> [3] http://www.w3.org/TR/SOAP-dsig/
> >> [4]
> >> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
> >> l/s ecurity/samples/signature/CreateSignature.java
> >>
> >> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
> >> <di...@yahoo.com> wrote:
> >>
> >> > Can you elaborate a bit more on your thoughts? An overview of how you
> >> > think we can make SOAP more secure using xml-security...This will help
> >> > generate more ideas.
> >> >
> >> > Thanks,
> >> > dims
> >> >
> >> > --- Sam Ruby <ru...@us.ibm.com> wrote:
> >> >> Note: I'm cross posting to Axis dev. Please continue the discussion
> >> >> there.
> >> >>
> >> >> Christian Geuer-Pollmann wrote:
> >> >> >
> >> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
> >> >> > around with these tools. I asked soap-user and soap-dev how I can
> >> >> > directly access the soap message as a DOM tree to add a
> >> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
> >> >> > an example to xml-security how a SOAP message can be signed and
> >> >> > this signature can be verified according to [1]. If there is
> >> >> > someone out there who can show me how to create a simple SOAP msg
> >> >> > using AXIS and how I can modify the resulting DOM tree, I'll
> >> >> > provide this example. The only thing that stopped me was installing
> >> >> > tomcat and all these things.
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail: webmaster@xml.apache.org
> To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
--
Regards,
Farrukh
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
Re: Axis and security
Posted by Davanum Srinivas <di...@yahoo.com>.
Christian,
I got a sample you can play with. Basically, you wanted a stand-alone sample where the client
sends a DOM and a server-side Handler that can access the DOM to do the processing...See attached
zip file for a sample. Here's how you can try it out without needing Tomcat etc...
1. Get a fresh version of xml-axis.
2. Unzip enclosed file make sure that the directory structure is overlayed with the xml-axis
directory.
3. Place activation.jar, servlet_2_2.jar, xerces-1_4_4.jar in xml-axis\java\lib directory. (These
are big jars, let me know if you want me to send them to you off-line...)
4. Run buildAxis.bat from xml-axis\java directory.
5. Run buildSecurity.bat from xml-axis\java directory.
6. After this start another command prompt and run runServer.bat from xml-axis\java directory.
7. You can check if the server is alive and well by running "runAdmin list" command from
xml-axis\java directory. This will also give you the list of things that are deployed on the
server.
8. Next step is to deploy the server-side security pieces by running "runAdmin
security\deploy.wsdd" from xml-axis\java directory.
9. To check if the security pieces got deployed, use "runAdmin list".
10. Finally do a "runClient" from xml-axis\java directory. You will see that security.LogHandler
has added a log into MyService.log. The client code is in security.Client...
So you can add your AxisSigner code to Client.java and the AxisVerifier code to LogHandler.java,
play with it and let us know the outcome.
Thanks,
dims
--- maillist@nue.et-inf.uni-siegen.de wrote:
> Dims,
>
> I added two samples under
>
> CVS/xml-security/src_samples/org/apache/xml/security/samples
>
> AxisSigner.java and AxisVerifier.java create a SOAP msg (sorry for the
> stuupid code) and sign the Body (and verify it).
>
>
>
> --On Dienstag, 8. Januar 2002 09:26 +0100 Christian Geuer-Pollmann
> <ma...@nue.et-inf.uni-siegen.de> wrote:
>
> > Dims,
> >
> > I'll add two samples which can easily be modified and which relate to
> > each other. I'll send you a notification about that.
> >
> > Christian
> >
> > --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
> > wrote:
> >
> >> Christian,
> >>
> >> Spent some time one the two samples CreateSignature.java and
> >> VerifySignature.java. The first samples creates signature.xml and the
> >> second one looks for hereSignature.xml....So i had to rename the generate
> >> signature.xml and feed it to VerifySignature.java. Is this right? If yes,
> >> i will try to spend some time tomorrow to bootstrap you with
> >> SimpleAxisServer with a custom Handler and some client code.
> >>
> >> Thanks,
> >> dims
> >>
> >> --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
> >>> Hi Davanum,
> >>>
> >>> I implemented the "XML Signature" spec [1] which is now available under
> >>> [2]. The distribution contains some examples how XML Signature can be
> >>> created and verified. These are stand-alone-examples which create a DOM
> >>> structure, sign it and write it to a file or verify an existing
> >>> Signature. Well, these examples are quite nice to demonstrate how
> >>> signatures are created and verified, but I wanted to add code on how a
> >>> SOAP message can be signed (at the client) and verified (at the
> >>> server's side). The "SOAP Security Extensions: Digital Signature" [3]
> >>> decribe how XML Signatures are 'embedded' into a SOAP message.
> >>>
> >>> Well, I'm not a SOAP guru and I don't want to spend weeks installing
> >>> Tomcat and learning how to create SOAP messages. It would be nice to
> >>> get a small 'stand-alone-client' and possibly (like Sam showed) a
> >>> server which gives me access to the Message: The client creates a
> >>> request, and before sending this request, I can sign it and put the
> >>> Signature into the Envelope. The server side the same: The server get's
> >>> a request and before
> >>> processing/dispatching it, I can verify whether the Signature is valid
> >>> (for demonstration purposes using a sample certificate).
> >>>
> >>> A second problem was: Should I provide such an example for "Apache SOAP"
> >>> or "Apache AXIS"?
> >>>
> >>> Maybe this gives an idea about it. BTW; if you wanna see how such an
> >>> example could look like: [4]
> >>>
> >>> Regards,
> >>> Christian
> >>>
> >>> [1] http://www.w3.org/TR/xmldsig-core/
> >>> [2] http://xml.apache.org/security/index.html
> >>> [3] http://www.w3.org/TR/SOAP-dsig/
> >>> [4]
> >>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
> >>> l/s ecurity/samples/signature/CreateSignature.java
> >>>
> >>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
> >>> <di...@yahoo.com> wrote:
> >>>
> >>> > Can you elaborate a bit more on your thoughts? An overview of how you
> >>> > think we can make SOAP more secure using xml-security...This will help
> >>> > generate more ideas.
> >>> >
> >>> > Thanks,
> >>> > dims
> >>> >
> >>> > --- Sam Ruby <ru...@us.ibm.com> wrote:
> >>> >> Note: I'm cross posting to Axis dev. Please continue the discussion
> >>> >> there.
> >>> >>
> >>> >> Christian Geuer-Pollmann wrote:
> >>> >> >
> >>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
> >>> >> > around with these tools. I asked soap-user and soap-dev how I can
> >>> >> > directly access the soap message as a DOM tree to add a
> >>> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
> >>> >> > an example to xml-security how a SOAP message can be signed and
> >>> >> > this signature can be verified according to [1]. If there is
> >>> >> > someone out there who can show me how to create a simple SOAP msg
> >>> >> > using AXIS and how I can modify the resulting DOM tree, I'll
> >>> >> > provide this example. The only thing that stopped me was installing
> >>> >> > tomcat and all these things.
> >
> >
> > ---------------------------------------------------------------------
> > In case of troubles, e-mail: webmaster@xml.apache.org
> > To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> > For additional commands, e-mail: general-help@xml.apache.org
> >
>
>
>
>
=====
Davanum Srinivas - http://jguru.com/dims/
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
JVM interference with Xerces :System hangs
Posted by Andrew Anand <an...@fedex.com>.
I parse(using DOMParser) a huge XML (about 20 KB) in to DOM and serialize it
to print the XML out of it , repeatedly.
My system does the job as expected over a number of times(up to 6 times run
continuously) and then
hangs ending up with a Null pointer Exception as described below.
java.lang.NullPointerException
at
org.apache.xerces.dom.DeferredDocumentImpl.synchronizeChildren(DeferredDocum
entImpl.java:1218)
at org.apache.xerces.dom.NodeImpl.getChildNodes(NodeImpl.java:520)
To my knowledge this is because JVM HotSpot interferes with Xerces when we
try to parse huge xml files repeatedly.
I am using :
Xerces1.4.3 on Java 2 platform.
Have you guys come across this situation.
I would really appreciate any ideas about the solution to this problem.
I apologize if this mail went in to wrong mailing list.
Thank you,
Andrew
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
JVM interference with Xerces :System hangs
Posted by Andrew Anand <an...@fedex.com>.
I parse(using DOMParser) a huge XML (about 20 KB) in to DOM and serialize it
to print the XML out of it , repeatedly.
My system does the job as expected over a number of times(up to 6 times run
continuously) and then
hangs ending up with a Null pointer Exception as described below.
java.lang.NullPointerException
at
org.apache.xerces.dom.DeferredDocumentImpl.synchronizeChildren(DeferredDocum
entImpl.java:1218)
at org.apache.xerces.dom.NodeImpl.getChildNodes(NodeImpl.java:520)
To my knowledge this is because JVM HotSpot interferes with Xerces when we
try to parse huge xml files repeatedly.
I am using :
Xerces1.4.3 on Java 2 platform.
Have you guys come across this situation.
I would really appreciate any ideas about the solution to this problem.
I apologize if this mail went in to wrong mailing list.
Thank you,
Andrew
Re: Axis and security (was: Forrest Layout 1.4)
Posted by ma...@nue.et-inf.uni-siegen.de.
Dims,
I added two samples under
CVS/xml-security/src_samples/org/apache/xml/security/samples
AxisSigner.java and AxisVerifier.java create a SOAP msg (sorry for the
stuupid code) and sign the Body (and verify it).
--On Dienstag, 8. Januar 2002 09:26 +0100 Christian Geuer-Pollmann
<ma...@nue.et-inf.uni-siegen.de> wrote:
> Dims,
>
> I'll add two samples which can easily be modified and which relate to
> each other. I'll send you a notification about that.
>
> Christian
>
> --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
> wrote:
>
>> Christian,
>>
>> Spent some time one the two samples CreateSignature.java and
>> VerifySignature.java. The first samples creates signature.xml and the
>> second one looks for hereSignature.xml....So i had to rename the generate
>> signature.xml and feed it to VerifySignature.java. Is this right? If yes,
>> i will try to spend some time tomorrow to bootstrap you with
>> SimpleAxisServer with a custom Handler and some client code.
>>
>> Thanks,
>> dims
>>
>> --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
>>> Hi Davanum,
>>>
>>> I implemented the "XML Signature" spec [1] which is now available under
>>> [2]. The distribution contains some examples how XML Signature can be
>>> created and verified. These are stand-alone-examples which create a DOM
>>> structure, sign it and write it to a file or verify an existing
>>> Signature. Well, these examples are quite nice to demonstrate how
>>> signatures are created and verified, but I wanted to add code on how a
>>> SOAP message can be signed (at the client) and verified (at the
>>> server's side). The "SOAP Security Extensions: Digital Signature" [3]
>>> decribe how XML Signatures are 'embedded' into a SOAP message.
>>>
>>> Well, I'm not a SOAP guru and I don't want to spend weeks installing
>>> Tomcat and learning how to create SOAP messages. It would be nice to
>>> get a small 'stand-alone-client' and possibly (like Sam showed) a
>>> server which gives me access to the Message: The client creates a
>>> request, and before sending this request, I can sign it and put the
>>> Signature into the Envelope. The server side the same: The server get's
>>> a request and before
>>> processing/dispatching it, I can verify whether the Signature is valid
>>> (for demonstration purposes using a sample certificate).
>>>
>>> A second problem was: Should I provide such an example for "Apache SOAP"
>>> or "Apache AXIS"?
>>>
>>> Maybe this gives an idea about it. BTW; if you wanna see how such an
>>> example could look like: [4]
>>>
>>> Regards,
>>> Christian
>>>
>>> [1] http://www.w3.org/TR/xmldsig-core/
>>> [2] http://xml.apache.org/security/index.html
>>> [3] http://www.w3.org/TR/SOAP-dsig/
>>> [4]
>>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
>>> l/s ecurity/samples/signature/CreateSignature.java
>>>
>>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
>>> <di...@yahoo.com> wrote:
>>>
>>> > Can you elaborate a bit more on your thoughts? An overview of how you
>>> > think we can make SOAP more secure using xml-security...This will help
>>> > generate more ideas.
>>> >
>>> > Thanks,
>>> > dims
>>> >
>>> > --- Sam Ruby <ru...@us.ibm.com> wrote:
>>> >> Note: I'm cross posting to Axis dev. Please continue the discussion
>>> >> there.
>>> >>
>>> >> Christian Geuer-Pollmann wrote:
>>> >> >
>>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
>>> >> > around with these tools. I asked soap-user and soap-dev how I can
>>> >> > directly access the soap message as a DOM tree to add a
>>> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
>>> >> > an example to xml-security how a SOAP message can be signed and
>>> >> > this signature can be verified according to [1]. If there is
>>> >> > someone out there who can show me how to create a simple SOAP msg
>>> >> > using AXIS and how I can modify the resulting DOM tree, I'll
>>> >> > provide this example. The only thing that stopped me was installing
>>> >> > tomcat and all these things.
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail: webmaster@xml.apache.org
> To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
Re: Axis and security (was: Forrest Layout 1.4)
Posted by ma...@nue.et-inf.uni-siegen.de.
Dims,
I added two samples under
CVS/xml-security/src_samples/org/apache/xml/security/samples
AxisSigner.java and AxisVerifier.java create a SOAP msg (sorry for the
stuupid code) and sign the Body (and verify it).
--On Dienstag, 8. Januar 2002 09:26 +0100 Christian Geuer-Pollmann
<ma...@nue.et-inf.uni-siegen.de> wrote:
> Dims,
>
> I'll add two samples which can easily be modified and which relate to
> each other. I'll send you a notification about that.
>
> Christian
>
> --On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
> wrote:
>
>> Christian,
>>
>> Spent some time one the two samples CreateSignature.java and
>> VerifySignature.java. The first samples creates signature.xml and the
>> second one looks for hereSignature.xml....So i had to rename the generate
>> signature.xml and feed it to VerifySignature.java. Is this right? If yes,
>> i will try to spend some time tomorrow to bootstrap you with
>> SimpleAxisServer with a custom Handler and some client code.
>>
>> Thanks,
>> dims
>>
>> --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
>>> Hi Davanum,
>>>
>>> I implemented the "XML Signature" spec [1] which is now available under
>>> [2]. The distribution contains some examples how XML Signature can be
>>> created and verified. These are stand-alone-examples which create a DOM
>>> structure, sign it and write it to a file or verify an existing
>>> Signature. Well, these examples are quite nice to demonstrate how
>>> signatures are created and verified, but I wanted to add code on how a
>>> SOAP message can be signed (at the client) and verified (at the
>>> server's side). The "SOAP Security Extensions: Digital Signature" [3]
>>> decribe how XML Signatures are 'embedded' into a SOAP message.
>>>
>>> Well, I'm not a SOAP guru and I don't want to spend weeks installing
>>> Tomcat and learning how to create SOAP messages. It would be nice to
>>> get a small 'stand-alone-client' and possibly (like Sam showed) a
>>> server which gives me access to the Message: The client creates a
>>> request, and before sending this request, I can sign it and put the
>>> Signature into the Envelope. The server side the same: The server get's
>>> a request and before
>>> processing/dispatching it, I can verify whether the Signature is valid
>>> (for demonstration purposes using a sample certificate).
>>>
>>> A second problem was: Should I provide such an example for "Apache SOAP"
>>> or "Apache AXIS"?
>>>
>>> Maybe this gives an idea about it. BTW; if you wanna see how such an
>>> example could look like: [4]
>>>
>>> Regards,
>>> Christian
>>>
>>> [1] http://www.w3.org/TR/xmldsig-core/
>>> [2] http://xml.apache.org/security/index.html
>>> [3] http://www.w3.org/TR/SOAP-dsig/
>>> [4]
>>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
>>> l/s ecurity/samples/signature/CreateSignature.java
>>>
>>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
>>> <di...@yahoo.com> wrote:
>>>
>>> > Can you elaborate a bit more on your thoughts? An overview of how you
>>> > think we can make SOAP more secure using xml-security...This will help
>>> > generate more ideas.
>>> >
>>> > Thanks,
>>> > dims
>>> >
>>> > --- Sam Ruby <ru...@us.ibm.com> wrote:
>>> >> Note: I'm cross posting to Axis dev. Please continue the discussion
>>> >> there.
>>> >>
>>> >> Christian Geuer-Pollmann wrote:
>>> >> >
>>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
>>> >> > around with these tools. I asked soap-user and soap-dev how I can
>>> >> > directly access the soap message as a DOM tree to add a
>>> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
>>> >> > an example to xml-security how a SOAP message can be signed and
>>> >> > this signature can be verified according to [1]. If there is
>>> >> > someone out there who can show me how to create a simple SOAP msg
>>> >> > using AXIS and how I can modify the resulting DOM tree, I'll
>>> >> > provide this example. The only thing that stopped me was installing
>>> >> > tomcat and all these things.
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail: webmaster@xml.apache.org
> To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de>.
Dims,
I'll add two samples which can easily be modified and which relate to each
other. I'll send you a notification about that.
Christian
--On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
wrote:
> Christian,
>
> Spent some time one the two samples CreateSignature.java and
> VerifySignature.java. The first samples creates signature.xml and the
> second one looks for hereSignature.xml....So i had to rename the generate
> signature.xml and feed it to VerifySignature.java. Is this right? If yes,
> i will try to spend some time tomorrow to bootstrap you with
> SimpleAxisServer with a custom Handler and some client code.
>
> Thanks,
> dims
>
> --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
>> Hi Davanum,
>>
>> I implemented the "XML Signature" spec [1] which is now available under
>> [2]. The distribution contains some examples how XML Signature can be
>> created and verified. These are stand-alone-examples which create a DOM
>> structure, sign it and write it to a file or verify an existing
>> Signature. Well, these examples are quite nice to demonstrate how
>> signatures are created and verified, but I wanted to add code on how a
>> SOAP message can be signed (at the client) and verified (at the
>> server's side). The "SOAP Security Extensions: Digital Signature" [3]
>> decribe how XML Signatures are 'embedded' into a SOAP message.
>>
>> Well, I'm not a SOAP guru and I don't want to spend weeks installing
>> Tomcat and learning how to create SOAP messages. It would be nice to
>> get a small 'stand-alone-client' and possibly (like Sam showed) a
>> server which gives me access to the Message: The client creates a
>> request, and before sending this request, I can sign it and put the
>> Signature into the Envelope. The server side the same: The server get's
>> a request and before
>> processing/dispatching it, I can verify whether the Signature is valid
>> (for demonstration purposes using a sample certificate).
>>
>> A second problem was: Should I provide such an example for "Apache SOAP"
>> or "Apache AXIS"?
>>
>> Maybe this gives an idea about it. BTW; if you wanna see how such an
>> example could look like: [4]
>>
>> Regards,
>> Christian
>>
>> [1] http://www.w3.org/TR/xmldsig-core/
>> [2] http://xml.apache.org/security/index.html
>> [3] http://www.w3.org/TR/SOAP-dsig/
>> [4]
>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
>> l/s ecurity/samples/signature/CreateSignature.java
>>
>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
>> <di...@yahoo.com> wrote:
>>
>> > Can you elaborate a bit more on your thoughts? An overview of how you
>> > think we can make SOAP more secure using xml-security...This will help
>> > generate more ideas.
>> >
>> > Thanks,
>> > dims
>> >
>> > --- Sam Ruby <ru...@us.ibm.com> wrote:
>> >> Note: I'm cross posting to Axis dev. Please continue the discussion
>> >> there.
>> >>
>> >> Christian Geuer-Pollmann wrote:
>> >> >
>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
>> >> > around with these tools. I asked soap-user and soap-dev how I can
>> >> > directly access the soap message as a DOM tree to add a
>> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
>> >> > an example to xml-security how a SOAP message can be signed and
>> >> > this signature can be verified according to [1]. If there is
>> >> > someone out there who can show me how to create a simple SOAP msg
>> >> > using AXIS and how I can modify the resulting DOM tree, I'll
>> >> > provide this example. The only thing that stopped me was installing
>> >> > tomcat and all these things.
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de>.
Dims,
I'll add two samples which can easily be modified and which relate to each
other. I'll send you a notification about that.
Christian
--On Montag, 7. Januar 2002 18:14 -0800 Davanum Srinivas <di...@yahoo.com>
wrote:
> Christian,
>
> Spent some time one the two samples CreateSignature.java and
> VerifySignature.java. The first samples creates signature.xml and the
> second one looks for hereSignature.xml....So i had to rename the generate
> signature.xml and feed it to VerifySignature.java. Is this right? If yes,
> i will try to spend some time tomorrow to bootstrap you with
> SimpleAxisServer with a custom Handler and some client code.
>
> Thanks,
> dims
>
> --- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
>> Hi Davanum,
>>
>> I implemented the "XML Signature" spec [1] which is now available under
>> [2]. The distribution contains some examples how XML Signature can be
>> created and verified. These are stand-alone-examples which create a DOM
>> structure, sign it and write it to a file or verify an existing
>> Signature. Well, these examples are quite nice to demonstrate how
>> signatures are created and verified, but I wanted to add code on how a
>> SOAP message can be signed (at the client) and verified (at the
>> server's side). The "SOAP Security Extensions: Digital Signature" [3]
>> decribe how XML Signatures are 'embedded' into a SOAP message.
>>
>> Well, I'm not a SOAP guru and I don't want to spend weeks installing
>> Tomcat and learning how to create SOAP messages. It would be nice to
>> get a small 'stand-alone-client' and possibly (like Sam showed) a
>> server which gives me access to the Message: The client creates a
>> request, and before sending this request, I can sign it and put the
>> Signature into the Envelope. The server side the same: The server get's
>> a request and before
>> processing/dispatching it, I can verify whether the Signature is valid
>> (for demonstration purposes using a sample certificate).
>>
>> A second problem was: Should I provide such an example for "Apache SOAP"
>> or "Apache AXIS"?
>>
>> Maybe this gives an idea about it. BTW; if you wanna see how such an
>> example could look like: [4]
>>
>> Regards,
>> Christian
>>
>> [1] http://www.w3.org/TR/xmldsig-core/
>> [2] http://xml.apache.org/security/index.html
>> [3] http://www.w3.org/TR/SOAP-dsig/
>> [4]
>> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xm
>> l/s ecurity/samples/signature/CreateSignature.java
>>
>> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas
>> <di...@yahoo.com> wrote:
>>
>> > Can you elaborate a bit more on your thoughts? An overview of how you
>> > think we can make SOAP more secure using xml-security...This will help
>> > generate more ideas.
>> >
>> > Thanks,
>> > dims
>> >
>> > --- Sam Ruby <ru...@us.ibm.com> wrote:
>> >> Note: I'm cross posting to Axis dev. Please continue the discussion
>> >> there.
>> >>
>> >> Christian Geuer-Pollmann wrote:
>> >> >
>> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play
>> >> > around with these tools. I asked soap-user and soap-dev how I can
>> >> > directly access the soap message as a DOM tree to add a
>> >> > SOAP-SECURITY signature. Unfortunately no response. I want to add
>> >> > an example to xml-security how a SOAP message can be signed and
>> >> > this signature can be verified according to [1]. If there is
>> >> > someone out there who can show me how to create a simple SOAP msg
>> >> > using AXIS and how I can modify the resulting DOM tree, I'll
>> >> > provide this example. The only thing that stopped me was installing
>> >> > tomcat and all these things.
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Davanum Srinivas <di...@yahoo.com>.
Christian,
Spent some time one the two samples CreateSignature.java and VerifySignature.java. The first
samples creates signature.xml and the second one looks for hereSignature.xml....So i had to rename
the generate signature.xml and feed it to VerifySignature.java. Is this right? If yes, i will try
to spend some time tomorrow to bootstrap you with SimpleAxisServer with a custom Handler and some
client code.
Thanks,
dims
--- Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de> wrote:
> Hi Davanum,
>
> I implemented the "XML Signature" spec [1] which is now available under
> [2]. The distribution contains some examples how XML Signature can be
> created and verified. These are stand-alone-examples which create a DOM
> structure, sign it and write it to a file or verify an existing Signature.
> Well, these examples are quite nice to demonstrate how signatures are
> created and verified, but I wanted to add code on how a SOAP message can be
> signed (at the client) and verified (at the server's side). The "SOAP
> Security Extensions: Digital Signature" [3] decribe how XML Signatures are
> 'embedded' into a SOAP message.
>
> Well, I'm not a SOAP guru and I don't want to spend weeks installing Tomcat
> and learning how to create SOAP messages. It would be nice to get a small
> 'stand-alone-client' and possibly (like Sam showed) a server which gives me
> access to the Message: The client creates a request, and before sending
> this request, I can sign it and put the Signature into the Envelope. The
> server side the same: The server get's a request and before
> processing/dispatching it, I can verify whether the Signature is valid (for
> demonstration purposes using a sample certificate).
>
> A second problem was: Should I provide such an example for "Apache SOAP" or
> "Apache AXIS"?
>
> Maybe this gives an idea about it. BTW; if you wanna see how such an
> example could look like: [4]
>
> Regards,
> Christian
>
> [1] http://www.w3.org/TR/xmldsig-core/
> [2] http://xml.apache.org/security/index.html
> [3] http://www.w3.org/TR/SOAP-dsig/
> [4]
> http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xml/s
> ecurity/samples/signature/CreateSignature.java
>
> --On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas <di...@yahoo.com>
> wrote:
>
> > Can you elaborate a bit more on your thoughts? An overview of how you
> > think we can make SOAP more secure using xml-security...This will help
> > generate more ideas.
> >
> > Thanks,
> > dims
> >
> > --- Sam Ruby <ru...@us.ibm.com> wrote:
> >> Note: I'm cross posting to Axis dev. Please continue the discussion
> >> there.
> >>
> >> Christian Geuer-Pollmann wrote:
> >> >
> >> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play around
> >> > with these tools. I asked soap-user and soap-dev how I can directly
> >> > access the soap message as a DOM tree to add a SOAP-SECURITY
> >> > signature. Unfortunately no response. I want to add an example to
> >> > xml-security how a SOAP message can be signed and this signature can
> >> > be verified according to [1]. If there is someone out there who can
> >> > show me how to create a simple SOAP msg using AXIS and how I can
> >> > modify the resulting DOM tree, I'll provide this example. The only
> >> > thing that stopped me was installing tomcat and all these things.
>
=====
Davanum Srinivas - http://jguru.com/dims/
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Christian Geuer-Pollmann <ma...@nue.et-inf.uni-siegen.de>.
Hi Davanum,
I implemented the "XML Signature" spec [1] which is now available under
[2]. The distribution contains some examples how XML Signature can be
created and verified. These are stand-alone-examples which create a DOM
structure, sign it and write it to a file or verify an existing Signature.
Well, these examples are quite nice to demonstrate how signatures are
created and verified, but I wanted to add code on how a SOAP message can be
signed (at the client) and verified (at the server's side). The "SOAP
Security Extensions: Digital Signature" [3] decribe how XML Signatures are
'embedded' into a SOAP message.
Well, I'm not a SOAP guru and I don't want to spend weeks installing Tomcat
and learning how to create SOAP messages. It would be nice to get a small
'stand-alone-client' and possibly (like Sam showed) a server which gives me
access to the Message: The client creates a request, and before sending
this request, I can sign it and put the Signature into the Envelope. The
server side the same: The server get's a request and before
processing/dispatching it, I can verify whether the Signature is valid (for
demonstration purposes using a sample certificate).
A second problem was: Should I provide such an example for "Apache SOAP" or
"Apache AXIS"?
Maybe this gives an idea about it. BTW; if you wanna see how such an
example could look like: [4]
Regards,
Christian
[1] http://www.w3.org/TR/xmldsig-core/
[2] http://xml.apache.org/security/index.html
[3] http://www.w3.org/TR/SOAP-dsig/
[4]
http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xml/s
ecurity/samples/signature/CreateSignature.java
--On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas <di...@yahoo.com>
wrote:
> Can you elaborate a bit more on your thoughts? An overview of how you
> think we can make SOAP more secure using xml-security...This will help
> generate more ideas.
>
> Thanks,
> dims
>
> --- Sam Ruby <ru...@us.ibm.com> wrote:
>> Note: I'm cross posting to Axis dev. Please continue the discussion
>> there.
>>
>> Christian Geuer-Pollmann wrote:
>> >
>> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play around
>> > with these tools. I asked soap-user and soap-dev how I can directly
>> > access the soap message as a DOM tree to add a SOAP-SECURITY
>> > signature. Unfortunately no response. I want to add an example to
>> > xml-security how a SOAP message can be signed and this signature can
>> > be verified according to [1]. If there is someone out there who can
>> > show me how to create a simple SOAP msg using AXIS and how I can
>> > modify the resulting DOM tree, I'll provide this example. The only
>> > thing that stopped me was installing tomcat and all these things.
Re: Axis and security (was: Forrest Layout 1.4)
Posted by Davanum Srinivas <di...@yahoo.com>.
Christian,
Can you elaborate a bit more on your thoughts? An overview of how you think we can make SOAP more
secure using xml-security...This will help generate more ideas.
Thanks,
dims
--- Sam Ruby <ru...@us.ibm.com> wrote:
> Note: I'm cross posting to Axis dev. Please continue the discussion there.
>
> Christian Geuer-Pollmann wrote:
> >
> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play around with
> > these tools. I asked soap-user and soap-dev how I can directly access the
> > soap message as a DOM tree to add a SOAP-SECURITY signature. Unfortunately
> > no response. I want to add an example to xml-security how a SOAP message
> > can be signed and this signature can be verified according to [1]. If there
> > is someone out there who can show me how to create a simple SOAP msg using
> > AXIS and how I can modify the resulting DOM tree, I'll provide this
> > example. The only thing that stopped me was installing tomcat and all these
> > things.
>
> See:
>
> http://cvs.apache.org/viewcvs.cgi/xml-axis/java/samples/message/
>
> While the installation documents are written assuming you will be
> targetting a servlet engine:
>
> http://cvs.apache.org/viewcvs.cgi/~checkout~/xml-axis/java/docs/install.html
>
> ... you can develop and debug using your classpath and a standalone
> version:
>
>
>
http://cvs.apache.org/viewcvs.cgi/~checkout~/xml-axis/java/src/org/apache/axis/transport/http/SimpleAxisServer.java
>
> Note: while this is enough to get you started, the real problem to be
> solved is a bit more involved. See http://www.w3.org/TR/SOAP-dsig/ . What
> you probably want to do is to define a handler. An existing handler that
> treats the message as a whole can be found at:
>
>
>
http://cvs.apache.org/viewcvs.cgi/~checkout~/xml-axis/java/src/org/apache/axis/handlers/LogHandler.java
>
> And while to choses to get the message as a string, you can also call the
> getAsDOM method on the SOAPEnvelope:
>
>
>
http://nagoya.apache.org/gump/javadoc/xml-axis/java/build/javadocs/org/apache/axis/message/SOAPEnvelope.html
>
> If you would like to see what the finished result would look like, see:
>
> http://www.alphaworks.ibm.com/tech/webservicestoolkit/
>
> - Sam Ruby
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail: webmaster@xml.apache.org
> To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>
=====
Davanum Srinivas - http://jguru.com/dims/
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/