You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@xml.apache.org by George I Matkovits <ma...@uswest.net> on 2000/09/04 06:42:05 UTC
SecureSoap (was SSLSoap) Part 1 of 3.
This is Part (1) with the attachment:
SecureSoap-BASE-08312000.zip
This is Part1 of the latest version of SSLSoap renamed
SecureSoap. It
is based on the latest XLM-SoapV2_0. I am sorry for the
pretentious name but I am committed to do the full thing.
Please read the Design Note -) in the directory INFO within
the root directory. This version also handles the Proxy
configuration via a Soap.properties file. I got its idea
from Apache Cocoon. IMHO HTTP headers (send & receive ) are
also handled correctly here. The idea for the 'header
handling' code is based on the IBM AplhaWorks NASSL Tool
Kit since I am far from being an HTTP expert. The debug
trace for HTTP headers can be controlled by a flag in
Soap.properties. Currently it is on, to allow checking for
HTTP1.1 keep-alives.
Any comments would be appreciated.
Regards - George
Re: SecureSoap (was SSLSoap) Part 1 of 3.
Posted by George I Matkovits <ma...@uswest.net>.
Yes. The current changes are all on the client side. I tried to be as
compatible with other soap implementations as possible. The current
SSL changes provide https or http transport to the Web Server.
Currently the Servlet Container does not come into the picture, I
just placed some https stuff there to test compatibility. :-) My
reason for this is that Certificate handling is not supported equally
well with even Servlet2.2 spec compliant Servlet Engines. For access
validation I will try to follow a very similar philosophy. I have a I
kind of a design which I will be reviewing with my boss in the
morning and with our 'security expert' later this week. After that I
am planning to publish a design document on this forum. I work in a
mixed NT/Unix shop and my (and my boss's) ultimate aim is to provide
Java based Web Services extensions for our applications, aka IBM's
WSK Toolkit which I would like my company to license, including your
NASSL. It is Java 'run anywhere' while Microsoft's SDL is Windows
only, easy choice! (-:
I had to use URL and not socket connections because those work with
Sun's JSSE code but sockets do not. It is JSSE and Soap2_0 which do
the real SSL work. My additions just call on JSSE API's to do the SSL
handshaking and payload encryption. I just love Java's flexibility.
The meat of the code is is within HTTPUtils.java and the changes are
really minimal.
The header handling ideas were borrowed from your WSK Tool Kit. I had
to add a configuration properties file whose idea I borrowed from
apache.Cocoon. Most of the utility code is in SecurityUtils.java
which I will extend greatly in its upcoming incarnations.
If you just un jar the code in the Part# order then most of its
functionality can be gleaned from the srcDIFFS directory. Again, the
current changes are really minimal. They were easy to make since the
V2_0 XML-Soap is rather nicely structured.
My only regret is that the Sample interfaces had to be changed which
I describe in the Release Note within the INFO directory of Soap Root
(SecureSoap2_0/INFO).
These SSL extensions should work against any Real :-) Web Server like
Apache or IIS.
Regards - George
Sanjiva Weerawarana wrote:
> Hi George,
>
> I would really like to have SSL support for Apache SOAP. Do other
> committers agree with this? If so I will nominate Geoerge to
> committer status so that we can get this code in.
>
> George, can you please educate me a bit? (I'm afraid I know next
> to nothing about this stuff.) Do you change the client-side only?
> Can you give a high level explanation of the changes?
>
> Sanjiva.
>
> ----- Original Message -----
> From: "George I Matkovits" <ma...@uswest.net>
> To: <so...@xml.apache.org>
> Sent: Monday, September 04, 2000 12:42 AM
> Subject: SecureSoap (was SSLSoap) Part 1 of 3.
>
> > This is Part (1) with the attachment:
> > SecureSoap-BASE-08312000.zip
> > This is Part1 of the latest version of SSLSoap renamed
> > SecureSoap. It
> > is based on the latest XLM-SoapV2_0. I am sorry for the
> > pretentious name but I am committed to do the full thing.
> > Please read the Design Note -) in the directory INFO within
> > the root directory. This version also handles the Proxy
> > configuration via a Soap.properties file. I got its idea
> > from Apache Cocoon. IMHO HTTP headers (send & receive ) are
> > also handled correctly here. The idea for the 'header
> > handling' code is based on the IBM AplhaWorks NASSL Tool
> > Kit since I am far from being an HTTP expert. The debug
> > trace for HTTP headers can be controlled by a flag in
> > Soap.properties. Currently it is on, to allow checking for
> > HTTP1.1 keep-alives.
> > Any comments would be appreciated.
> > Regards - George
> >
Re: SecureSoap (was SSLSoap) Part 1 of 3.
Posted by George I Matkovits <ma...@uswest.net>.
Yes. The current changes are all on the client side. I tried to be as
compatible with other soap implementations as possible. The current
SSL changes provide https or http transport to the Web Server.
Currently the Servlet Container does not come into the picture, I
just placed some https stuff there to test compatibility. :-) My
reason for this is that Certificate handling is not supported equally
well with even Servlet2.2 spec compliant Servlet Engines. For access
validation I will try to follow a very similar philosophy. I have a I
kind of a design which I will be reviewing with my boss in the
morning and with our 'security expert' later this week. After that I
am planning to publish a design document on this forum. I work in a
mixed NT/Unix shop and my (and my boss's) ultimate aim is to provide
Java based Web Services extensions for our applications, aka IBM's
WSK Toolkit which I would like my company to license, including your
NASSL. It is Java 'run anywhere' while Microsoft's SDL is Windows
only, easy choice! (-:
I had to use URL and not socket connections because those work with
Sun's JSSE code but sockets do not. It is JSSE and Soap2_0 which do
the real SSL work. My additions just call on JSSE API's to do the SSL
handshaking and payload encryption. I just love Java's flexibility.
The meat of the code is is within HTTPUtils.java and the changes are
really minimal.
The header handling ideas were borrowed from your WSK Tool Kit. I had
to add a configuration properties file whose idea I borrowed from
apache.Cocoon. Most of the utility code is in SecurityUtils.java
which I will extend greatly in its upcoming incarnations.
If you just un jar the code in the Part# order then most of its
functionality can be gleaned from the srcDIFFS directory. Again, the
current changes are really minimal. They were easy to make since the
V2_0 XML-Soap is rather nicely structured.
My only regret is that the Sample interfaces had to be changed which
I describe in the Release Note within the INFO directory of Soap Root
(SecureSoap2_0/INFO).
These SSL extensions should work against any Real :-) Web Server like
Apache or IIS.
Regards - George
Sanjiva Weerawarana wrote:
> Hi George,
>
> I would really like to have SSL support for Apache SOAP. Do other
> committers agree with this? If so I will nominate Geoerge to
> committer status so that we can get this code in.
>
> George, can you please educate me a bit? (I'm afraid I know next
> to nothing about this stuff.) Do you change the client-side only?
> Can you give a high level explanation of the changes?
>
> Sanjiva.
>
> ----- Original Message -----
> From: "George I Matkovits" <ma...@uswest.net>
> To: <so...@xml.apache.org>
> Sent: Monday, September 04, 2000 12:42 AM
> Subject: SecureSoap (was SSLSoap) Part 1 of 3.
>
> > This is Part (1) with the attachment:
> > SecureSoap-BASE-08312000.zip
> > This is Part1 of the latest version of SSLSoap renamed
> > SecureSoap. It
> > is based on the latest XLM-SoapV2_0. I am sorry for the
> > pretentious name but I am committed to do the full thing.
> > Please read the Design Note -) in the directory INFO within
> > the root directory. This version also handles the Proxy
> > configuration via a Soap.properties file. I got its idea
> > from Apache Cocoon. IMHO HTTP headers (send & receive ) are
> > also handled correctly here. The idea for the 'header
> > handling' code is based on the IBM AplhaWorks NASSL Tool
> > Kit since I am far from being an HTTP expert. The debug
> > trace for HTTP headers can be controlled by a flag in
> > Soap.properties. Currently it is on, to allow checking for
> > HTTP1.1 keep-alives.
> > Any comments would be appreciated.
> > Regards - George
> >
Re: SecureSoap (was SSLSoap) Part 1 of 3.
Posted by Sanjiva Weerawarana <sa...@mailandnews.com>.
Hi George,
I would really like to have SSL support for Apache SOAP. Do other
committers agree with this? If so I will nominate Geoerge to
committer status so that we can get this code in.
George, can you please educate me a bit? (I'm afraid I know next
to nothing about this stuff.) Do you change the client-side only?
Can you give a high level explanation of the changes?
Sanjiva.
----- Original Message -----
From: "George I Matkovits" <ma...@uswest.net>
To: <so...@xml.apache.org>
Sent: Monday, September 04, 2000 12:42 AM
Subject: SecureSoap (was SSLSoap) Part 1 of 3.
> This is Part (1) with the attachment:
> SecureSoap-BASE-08312000.zip
> This is Part1 of the latest version of SSLSoap renamed
> SecureSoap. It
> is based on the latest XLM-SoapV2_0. I am sorry for the
> pretentious name but I am committed to do the full thing.
> Please read the Design Note -) in the directory INFO within
> the root directory. This version also handles the Proxy
> configuration via a Soap.properties file. I got its idea
> from Apache Cocoon. IMHO HTTP headers (send & receive ) are
> also handled correctly here. The idea for the 'header
> handling' code is based on the IBM AplhaWorks NASSL Tool
> Kit since I am far from being an HTTP expert. The debug
> trace for HTTP headers can be controlled by a flag in
> Soap.properties. Currently it is on, to allow checking for
> HTTP1.1 keep-alives.
> Any comments would be appreciated.
> Regards - George
>
Re: SecureSoap (was SSLSoap) Part 1 of 3.
Posted by Sanjiva Weerawarana <sa...@mailandnews.com>.
Hi George,
I would really like to have SSL support for Apache SOAP. Do other
committers agree with this? If so I will nominate Geoerge to
committer status so that we can get this code in.
George, can you please educate me a bit? (I'm afraid I know next
to nothing about this stuff.) Do you change the client-side only?
Can you give a high level explanation of the changes?
Sanjiva.
----- Original Message -----
From: "George I Matkovits" <ma...@uswest.net>
To: <so...@xml.apache.org>
Sent: Monday, September 04, 2000 12:42 AM
Subject: SecureSoap (was SSLSoap) Part 1 of 3.
> This is Part (1) with the attachment:
> SecureSoap-BASE-08312000.zip
> This is Part1 of the latest version of SSLSoap renamed
> SecureSoap. It
> is based on the latest XLM-SoapV2_0. I am sorry for the
> pretentious name but I am committed to do the full thing.
> Please read the Design Note -) in the directory INFO within
> the root directory. This version also handles the Proxy
> configuration via a Soap.properties file. I got its idea
> from Apache Cocoon. IMHO HTTP headers (send & receive ) are
> also handled correctly here. The idea for the 'header
> handling' code is based on the IBM AplhaWorks NASSL Tool
> Kit since I am far from being an HTTP expert. The debug
> trace for HTTP headers can be controlled by a flag in
> Soap.properties. Currently it is on, to allow checking for
> HTTP1.1 keep-alives.
> Any comments would be appreciated.
> Regards - George
>