You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Robert Wierschke <wi...@googlemail.com> on 2008/07/27 18:30:09 UTC
Security headers?
Hi,
I'm a bit confused about the handling of Security headers in wss4j.
There is a object representing the Security header that must be inserted in
the DOM manually
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc); // einbinden in DOM
also the Security header should now be in the DOM tree the object must be
passed again when calling the security operations.
builder.addExternalRefElement(refs, secHeader);
builder.prependToHeader(secHeader); // einbinden in SOAP (warum!?)
builder.prependBSTElementToHeader(secHeader);
Furthermore I signed and encrypted the SOAP message in separate steps using
different builders and different WSSecHeader objects and calling
secHeader.insertSecurityHeader(doc) twice (once for each WSSecHeader) with
the same DOM tree. To my confusion this results in a SOAP message with only
one Security header element.
So what is the sense of the WSSecHeader? Why do I need to pass it
everywhere? Why do I need to insert it manually in the SOAP? What if I need
separate Security headers?
regards
robert
Re: Security headers?
Posted by Werner Dittmann <We...@t-online.de>.
Robert,
it's quite simple. One SOAP request may have several security headers, for
example using different actors. There is a constructor in WSSecHeader to
define an actor. a setter method is also available. Because it is an error
to have two security header with the same actor the WSSecHeader class
takes care to create an insert only _one_ header per actor. Refer to
the OASIS WSS specification for more detailed information.
Thus the application, in this case the test cases, may manage several
security headers.
When calling a security function such as adding a username token the
application must define to wich security header the token shall be
added or the security action shall be performed.
see some comments inline
Regards,
Werner
Robert Wierschke schrieb:
> Hi,
>
> I'm a bit confused about the handling of Security headers in wss4j.
>
> There is a object representing the Security header that must be inserted in
> the DOM manually
>
> WSSecHeader secHeader = new WSSecHeader();
> secHeader.insertSecurityHeader(doc); // einbinden in DOM
>
> also the Security header should now be in the DOM tree the object must be
> passed again when calling the security operations.
>
> builder.addExternalRefElement(refs, secHeader);
> builder.prependToHeader(secHeader); // einbinden in SOAP (warum!?)
Werner: does not bind to SOAP but puts the data of this builder object
into the security header, prepending other existing security tokens
already inside the security header. The security header is already inserted
into the SOAP request
> builder.prependBSTElementToHeader(secHeader);
>
> Furthermore I signed and encrypted the SOAP message in separate steps using
> different builders and different WSSecHeader objects and calling
> secHeader.insertSecurityHeader(doc) twice (once for each WSSecHeader) with
> the same DOM tree. To my confusion this results in a SOAP message with only
> one Security header element.
>
> So what is the sense of the WSSecHeader? Why do I need to pass it
> everywhere? Why do I need to insert it manually in the SOAP? What if I need
> separate Security headers?
>
> regards
> robert
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org