You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by ra...@ralphholz.de on 2007/11/09 15:33:29 UTC

Controlling placement of in result XML tree

Hi,

How do I determine where the <ds:Signature> element is placed in the result 
XML? E.g., I have a SOAP message like this:

<env:Envelope>
<env:Header ... />
<env:Body>
<pdpa:message>...</pdpa:message>
</env:Body>
</env:Envelope>

My code signs only the <pdpa:message> part (using XPath-Transforms). In the 
resulting tree, the signature is added *after* the </env:Body>:

<env:Body>
<pdpa:message>...</pdpa:message>
</env:Body>
<ds:Signature>...</ds:Signature>
</env:Envelope>

I would, however, like to add it to the <pdpa:message> part:

<env:Body>
<pdpa:message>...</pdpa:message>
<ds:Signature>...</ds:Signature>
</env:Body>
</env:Envelope>

Reason: that way, I can just encrypt the <pdpa:message> (replace with 
<xenc:EncryptedData>) and preserve a correct SOAP message (with a Body 
element). The way it is now, I would encrypt the <pdpa:message> and have a 
signature "on the outside", which I consider weaker due to the weaknesses in 
SHA1.

The code for the XPath-Transformation is

String filter[][] = { { XPath2FilterContainer.INTERSECT,
				"//Envelope/Body/message" } };
transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER,
	XPath2FilterContainer.newInstances(insideDoc, filter));

Which I think is correct. Where do I make the mistake?

Thanks,
Ralph

-- 
For contact details, please see www.ralphholz.de.

Re: Controlling placement of in result XML tree

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi,

If you are planning to sign the message the standard [1] way then you
will have to place the "Signature" element in the "Security" header of
the SOAP message. The WS-Sec spcefication describes how to encrypt
and/or sign the message while preserving SOAP envelop structure.

You can do this using the Apache WSS4J if you are planning to
sign/encrypt SOAP messages.

Thanks,
Ruchith

1. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

On Nov 9, 2007 8:03 PM,  <ra...@ralphholz.de> wrote:
> Hi,
>
> How do I determine where the <ds:Signature> element is placed in the result
> XML? E.g., I have a SOAP message like this:
>
> <env:Envelope>
> <env:Header ... />
> <env:Body>
> <pdpa:message>...</pdpa:message>
> </env:Body>
> </env:Envelope>
>
> My code signs only the <pdpa:message> part (using XPath-Transforms). In the
> resulting tree, the signature is added *after* the </env:Body>:
>
> <env:Body>
> <pdpa:message>...</pdpa:message>
> </env:Body>
> <ds:Signature>...</ds:Signature>
> </env:Envelope>
>
> I would, however, like to add it to the <pdpa:message> part:
>
> <env:Body>
> <pdpa:message>...</pdpa:message>
> <ds:Signature>...</ds:Signature>
> </env:Body>
> </env:Envelope>
>
> Reason: that way, I can just encrypt the <pdpa:message> (replace with
> <xenc:EncryptedData>) and preserve a correct SOAP message (with a Body
> element). The way it is now, I would encrypt the <pdpa:message> and have a
> signature "on the outside", which I consider weaker due to the weaknesses in
> SHA1.
>
> The code for the XPath-Transformation is
>
> String filter[][] = { { XPath2FilterContainer.INTERSECT,
>                                 "//Envelope/Body/message" } };
> transforms.addTransform(Transforms.TRANSFORM_XPATH2FILTER,
>         XPath2FilterContainer.newInstances(insideDoc, filter));
>
> Which I think is correct. Where do I make the mistake?
>
> Thanks,
> Ralph
>
> --
> For contact details, please see www.ralphholz.de.
>



-- 
http://blog.ruchith.org
http://wso2.org