You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Dittmann Werner <we...@siemens.com> on 2004/05/25 08:31:24 UTC
AW: [jira] Updated: (WSFX-8) Suggestion for a more flexible handl
ing of UsernameTokens
Christof, Dims, all,
WSSecurityEngine handles/verfies the SOAP messages according
to the OASIS WSS specifications.
As I understand it, this patche removes the UsernameToken
handling from WSSecurityEngine and moves it into Axis handler
space. This contradicts the idea of having an independant
WSS library that handles WSS compliant SOAP messages. The WSS4J
library is usable for other implementations as well,
not only for Axis handlers. The Axis handlers that are delivered
with WSS4J are just one implementation that uses the WSS4J functions.
This idea also breaks the interface contract of WSSecurityEngine
because it does not verfiy the received message and reports
(via exception) failures.
A better idea would be to have (optional) plugins inside the
WSSecurityEngine.handleUsernameToken() and
WSSAddUsernameToken.build() that deal with specific elements
inside USernameToken. Changes must not break the interface contract
in any way.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: jira@apache.org [mailto:jira@apache.org]
> Gesendet: Montag, 24. Mai 2004 15:48
> An: fx-dev@ws.apache.org
> Betreff: [jira] Updated: (WSFX-8) Suggestion for a more
> flexible handling of UsernameTokens
>
>
> The following issue has been updated:
>
> Updater: Christof Soehngen (mailto:christof.soehngen@syracom.de)
> Date: Mon, 24 May 2004 6:46 AM
> Changes:
> Attachment changed to WSDoAllReceiver.java.patch
>
> ---------------------------------------------------------------------
> For a full history of the issue, see:
>
> http://issues.apache.org/jira/browse/WSFX-8?page=history
>
> ---------------------------------------------------------------------
> View the issue:
> http://issues.apache.org/jira/browse/WSFX-8
>
> Here is an overview of the issue:
> ---------------------------------------------------------------------
> Key: WSFX-8
> Summary: Suggestion for a more flexible handling of UsernameTokens
> Type: Improvement
>
> Status: Unassigned
> Priority: Major
>
> Project: WSFX
> Components:
> WSS4J
>
> Assignee:
> Reporter: Christof Soehngen
>
> Created: Mon, 24 May 2004 6:45 AM
> Updated: Mon, 24 May 2004 6:46 AM
> Environment: CVS snapshot from 2004-05-24
>
> Description:
> I suggest improving UsernameToken handling to allow the following:
> - hook in WSDoAllReceiver for custom validation algorithms
> - conserve custom child-elements of the UsernameToken and
> pass them to the validation algorithm
>
> Problems with the existing code are:
> - validation takes place WSSecurityEngine
> - additional custom elements of the UsernameToken are discarded
>
> I therefore modified the following classes:
> - org.apache.ws.security.WSSecurityEngine.java:
> * Remove method handleUsernameToken()
> * Modify method processSecurityHeader (extraction of
> UsernameToken)
> - org.apache.ws.security.WSSecurityEngineResult.java:
> * Add attribute ut
> * Add constructor with username token
> * Add method getUsernameToken
> - org.apache.ws.security.message.WSAddUsernameToken.java:
> * Add method addCustomElement()
> - org.apache.ws.security.message.token.UsernameToken.java:
> * Modify constructor: Read custom elements from XML
> * Add attribute customElements
> * Add method getCustomElements()
> * Add method setCustomElements()
> - org.apache.ws.axis.security.WSDoAllReceiver.java:
> * Modify method invoke: call hook for validation of
> UsernameToken (verifyUsernameToken())
> * Add method verifyUsernameToken()
>
> Any suggestions are welcome,
> Christof
>
>
> ---------------------------------------------------------------------
> JIRA INFORMATION:
> This message is automatically generated by JIRA.
>
> If you think it was sent incorrectly contact one of the
> administrators:
> http://issues.apache.org/jira/secure/Administrators.jspa
>
> If you want more information on JIRA, or have a bug to report see:
> http://www.atlassian.com/software/jira
>
Re: AW: [jira] Updated: (WSFX-8) Suggestion for a more flexible handl ing of UsernameTokens
Posted by Davanum Srinivas <da...@gmail.com>.
I agree with Werner on this.
thanks,
dims
On Tue, 25 May 2004 08:31:24 +0200, Dittmann Werner
<we...@siemens.com> wrote:
>
> Christof, Dims, all,
>
> WSSecurityEngine handles/verfies the SOAP messages according
> to the OASIS WSS specifications.
>
> As I understand it, this patche removes the UsernameToken
> handling from WSSecurityEngine and moves it into Axis handler
> space. This contradicts the idea of having an independant
> WSS library that handles WSS compliant SOAP messages. The WSS4J
> library is usable for other implementations as well,
> not only for Axis handlers. The Axis handlers that are delivered
> with WSS4J are just one implementation that uses the WSS4J functions.
>
> This idea also breaks the interface contract of WSSecurityEngine
> because it does not verfiy the received message and reports
> (via exception) failures.
>
> A better idea would be to have (optional) plugins inside the
> WSSecurityEngine.handleUsernameToken() and
> WSSAddUsernameToken.build() that deal with specific elements
> inside USernameToken. Changes must not break the interface contract
> in any way.
>
> Regards,
> Werner
>
> > -----Ursprüngliche Nachricht-----
> > Von: jira@apache.org [mailto:jira@apache.org]
> > Gesendet: Montag, 24. Mai 2004 15:48
> > An: fx-dev@ws.apache.org
> > Betreff: [jira] Updated: (WSFX-8) Suggestion for a more
> > flexible handling of UsernameTokens
> >
> >
> > The following issue has been updated:
> >
> > Updater: Christof Soehngen (mailto:christof.soehngen@syracom.de)
> > Date: Mon, 24 May 2004 6:46 AM
> > Changes:
> > Attachment changed to WSDoAllReceiver.java.patch
> >
> > ---------------------------------------------------------------------
> > For a full history of the issue, see:
> >
> > http://issues.apache.org/jira/browse/WSFX-8?page=history
> >
> > ---------------------------------------------------------------------
> > View the issue:
> > http://issues.apache.org/jira/browse/WSFX-8
> >
> > Here is an overview of the issue:
> > ---------------------------------------------------------------------
> > Key: WSFX-8
> > Summary: Suggestion for a more flexible handling of UsernameTokens
> > Type: Improvement
> >
> > Status: Unassigned
> > Priority: Major
> >
> > Project: WSFX
> > Components:
> > WSS4J
> >
> > Assignee:
> > Reporter: Christof Soehngen
> >
> > Created: Mon, 24 May 2004 6:45 AM
> > Updated: Mon, 24 May 2004 6:46 AM
> > Environment: CVS snapshot from 2004-05-24
> >
> > Description:
> > I suggest improving UsernameToken handling to allow the following:
> > - hook in WSDoAllReceiver for custom validation algorithms
> > - conserve custom child-elements of the UsernameToken and
> > pass them to the validation algorithm
> >
> > Problems with the existing code are:
> > - validation takes place WSSecurityEngine
> > - additional custom elements of the UsernameToken are discarded
> >
> > I therefore modified the following classes:
> > - org.apache.ws.security.WSSecurityEngine.java:
> > * Remove method handleUsernameToken()
> > * Modify method processSecurityHeader (extraction of
> > UsernameToken)
> > - org.apache.ws.security.WSSecurityEngineResult.java:
> > * Add attribute ut
> > * Add constructor with username token
> > * Add method getUsernameToken
> > - org.apache.ws.security.message.WSAddUsernameToken.java:
> > * Add method addCustomElement()
> > - org.apache.ws.security.message.token.UsernameToken.java:
> > * Modify constructor: Read custom elements from XML
> > * Add attribute customElements
> > * Add method getCustomElements()
> > * Add method setCustomElements()
> > - org.apache.ws.axis.security.WSDoAllReceiver.java:
> > * Modify method invoke: call hook for validation of
> > UsernameToken (verifyUsernameToken())
> > * Add method verifyUsernameToken()
> >
> > Any suggestions are welcome,
> > Christof
> >
> >
> > ---------------------------------------------------------------------
> > JIRA INFORMATION:
> > This message is automatically generated by JIRA.
> >
> > If you think it was sent incorrectly contact one of the
> > administrators:
> > http://issues.apache.org/jira/secure/Administrators.jspa
> >
> > If you want more information on JIRA, or have a bug to report see:
> > http://www.atlassian.com/software/jira
> >
>