You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by James Casbon <Ja...@citria.com> on 2001/04/26 16:37:24 UTC

Signed SOAP messages & handling secuirty

I saw with interest the TRL proposal in the nightly build I downloaded.  Is
the intention to include signed messages as part of Axis?

If it is to be included, it seems strange to base this on xss4j for two
reasons:

xss4j is not open source & requires license fee
xss4j does not allow for integration with cryptoki (and cannot be modified
as it is not open source).

Further, the Signature class currently only allows for the attachment of one
certificate.  Should it not offer a way of including an entire certificate
chain for trust verification?

I also cannot see anything in the SOAP specifications that details how
security is to be handled.  I mean, to offer a secure RPC handler would you
chain to handlers: have a security handler and a rpc handler and let the
security handler verify a call?

Consider a banking service that offers a transfer method.  The user makes a
call to a method such as:

	makeTransfer( int sourceAccount, int destinationAccount, float
funds);

he then signs the call to indicate he is authorised to transfer from the
source account and posts the SOAP message

The message arrives at the server, and the security handler verifies his
digital signature.  What we need now is a standard way of including this
identity so that it is accessible by the method being invoked.  One possible
way would be to have the Security Handler insert the verified identity as a
parameter to the method call, and I have successfully applied this approach
to Apache SOAP 2.1.  But this does seem an arbritrary convention, is there a
better way?

thanks,


James


James Casbon
Software Engineer
Citria Ltd
40 Holborn Viaduct
London EC1N 2PB
United Kingdom	

T: 020 7832 3185
M: 07968 055943
F: 020 7832 3232
E: James.Casbon@citria.com
Citria Limited <http://www.citria.com> 	

__________________________________________________________________

If you are not the addressee of this confidential e-mail and any 
attachments, please delete it and inform the sender; unauthorised 
redistribution or publication is prohibited. 
Views expressed are those of the author and do not necessarily 
represent those of Citria Limited.
__________________________________________________________________