You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Stanley Stanev <st...@yahoo.com> on 2006/04/27 07:28:53 UTC
WS-Security implicit header
Hello all,
I am trying to find out if it is possible to use Axis to generate a WSDL that
includes implicit security headers or in general any implicit headers.
Does anybody have an idea?
WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
practice if the generated WSDL does not have information about the headers that
could be passed within the SOAP request. The WSDL is the contract after all.
thanks a lot
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
I understand that, I am using handlers to handle all my implicit headers and
all works very good
however my question was if I am able to use Axis to generate the WSDL and
include all my implicit headers in the WSDL
if that is not possible I have to generate the WSDLs using Axis and then I have
to change them adding those implicit headers manually, which I do not like
I would like to publish a version of the WSDL that includes ALL implicit
headers, just to make the clients aware of them and I would like to use Axis to
generate all for me
thanks again,
Stan
--- Guy Rixon <gt...@ast.cam.ac.uk> wrote:
> I suspect that you'll have trouble making this work. The problem is that the
> header isn't something included by the application code in the client;
> instead, it needs to be generated by an Axis handler. If you mention a
> header
> in the WSDL then Axis 1 gives you stubs with methods that take that
> header-structure as a parameter. I dont know what Acxis 2 does about all
> this.
>
> On Wed, 26 Apr 2006, Stanley Stanev wrote:
>
> > Hello all,
> >
> > I am trying to find out if it is possible to use Axis to generate a WSDL
> that
> > includes implicit security headers or in general any implicit headers.
> >
> > Does anybody have an idea?
> >
> > WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> > practice if the generated WSDL does not have information about the headers
> that
> > could be passed within the SOAP request. The WSDL is the contract after
> all.
> >
> > thanks a lot
> >
> > Stanimir Stanev (Stanley)
> > Senior Java Developer
> > Momentum SI, Austin TX
> > http://www.momentumsi.com
> > http://www.stanev.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
>
> Guy Rixon gtr@ast.cam.ac.uk
> Institute of Astronomy Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
I understand that, I am using handlers to handle all my implicit headers and
all works very good
however my question was if I am able to use Axis to generate the WSDL and
include all my implicit headers in the WSDL
if that is not possible I have to generate the WSDLs using Axis and then I have
to change them adding those implicit headers manually, which I do not like
I would like to publish a version of the WSDL that includes ALL implicit
headers, just to make the clients aware of them and I would like to use Axis to
generate all for me
thanks again,
Stan
--- Guy Rixon <gt...@ast.cam.ac.uk> wrote:
> I suspect that you'll have trouble making this work. The problem is that the
> header isn't something included by the application code in the client;
> instead, it needs to be generated by an Axis handler. If you mention a
> header
> in the WSDL then Axis 1 gives you stubs with methods that take that
> header-structure as a parameter. I dont know what Acxis 2 does about all
> this.
>
> On Wed, 26 Apr 2006, Stanley Stanev wrote:
>
> > Hello all,
> >
> > I am trying to find out if it is possible to use Axis to generate a WSDL
> that
> > includes implicit security headers or in general any implicit headers.
> >
> > Does anybody have an idea?
> >
> > WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> > practice if the generated WSDL does not have information about the headers
> that
> > could be passed within the SOAP request. The WSDL is the contract after
> all.
> >
> > thanks a lot
> >
> > Stanimir Stanev (Stanley)
> > Senior Java Developer
> > Momentum SI, Austin TX
> > http://www.momentumsi.com
> > http://www.stanev.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
>
> Guy Rixon gtr@ast.cam.ac.uk
> Institute of Astronomy Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Guy Rixon <gt...@ast.cam.ac.uk>.
I suspect that you'll have trouble making this work. The problem is that the
header isn't something included by the application code in the client;
instead, it needs to be generated by an Axis handler. If you mention a header
in the WSDL then Axis 1 gives you stubs with methods that take that
header-structure as a parameter. I dont know what Acxis 2 does about all this.
On Wed, 26 Apr 2006, Stanley Stanev wrote:
> Hello all,
>
> I am trying to find out if it is possible to use Axis to generate a WSDL that
> includes implicit security headers or in general any implicit headers.
>
> Does anybody have an idea?
>
> WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> practice if the generated WSDL does not have information about the headers that
> could be passed within the SOAP request. The WSDL is the contract after all.
>
> thanks a lot
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
Guy Rixon gtr@ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
I expected this answer :)
it's going to be a little difficult, because this way I am asking my consumers
the same "use products that support WS-Policy" and I am dictating their
decisions, which I do not like. However, I know tools are getting better and
better, so this is not going to be an issue in a near feature I hope.
thanks,
Stan
--- Anne Thomas Manes <at...@gmail.com> wrote:
> WS-Policy. (i.e., use products that support WS-Policy)
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> >
> > Anne,
> >
> > I am with you!
> >
> > first, WS-Policy has limited support yet
> > second, shouldn't define our headers in the WSDL
> >
> > then, do you have an idea todays, how do we expose and in what form the
> > bits
> > that the infrastructure is responsible for implementing (i.e. headers) to
> > the
> > consumers
> >
> > thanks,
> > Stan
> >
> > --- Anne Thomas Manes <at...@gmail.com> wrote:
> >
> > > Stanley,
> > >
> > > The WSDL should define the bits that the application code needs to know
> > > about. It should *not* define the bits that the infrastructure (e.g.,
> > > handlers and intermediaries) is responsible for implementing (i.e .,
> > > headers). The infrastructure requirements should be defined using
> > WS-Policy.
> > >
> > >
> > > Now, admittedly, WS-Policy is not yet a standard, and it has limited
> > support
> > > by application platforms, but that doesn't change the fact that you
> > really
> > > shouldn't define your headers in the WSDL.
> > >
> > > By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> > > specifications (WS-Policy and WS-PolicyAttachments).
> > > See http://www.w3.org/Submission/2006/06/ .
> > >
> > >
> > >
> > > On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> > > >
> > > > Hi Stanley,
> > > >
> > > > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > > > yes, that's what I was referring
> > > > >
> > > > > I aksed Axis already, but do you know by chance if I am able to
> > generate
> > > > a WSDL
> > > > > that contains my own implicit headers using Axis 1.x?
> > > >
> > > > I don't think you can generate such a WSDL with Axis 1.x where is
> > > > defines headers to be included .... maybe an Axis 1.x expert can
> > > > please correct me on this of I'm wrong? (CCed to Axis-user list)
> > > >
> > > > Thanks,
> > > > Ruchith
> >
> > Stanimir Stanev (Stanley)
> > Senior Java Developer
> > Momentum SI, Austin TX
> > http://www.momentumsi.com
> > http://www.stanev.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
I expected this answer :)
it's going to be a little difficult, because this way I am asking my consumers
the same "use products that support WS-Policy" and I am dictating their
decisions, which I do not like. However, I know tools are getting better and
better, so this is not going to be an issue in a near feature I hope.
thanks,
Stan
--- Anne Thomas Manes <at...@gmail.com> wrote:
> WS-Policy. (i.e., use products that support WS-Policy)
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> >
> > Anne,
> >
> > I am with you!
> >
> > first, WS-Policy has limited support yet
> > second, shouldn't define our headers in the WSDL
> >
> > then, do you have an idea todays, how do we expose and in what form the
> > bits
> > that the infrastructure is responsible for implementing (i.e. headers) to
> > the
> > consumers
> >
> > thanks,
> > Stan
> >
> > --- Anne Thomas Manes <at...@gmail.com> wrote:
> >
> > > Stanley,
> > >
> > > The WSDL should define the bits that the application code needs to know
> > > about. It should *not* define the bits that the infrastructure (e.g.,
> > > handlers and intermediaries) is responsible for implementing (i.e .,
> > > headers). The infrastructure requirements should be defined using
> > WS-Policy.
> > >
> > >
> > > Now, admittedly, WS-Policy is not yet a standard, and it has limited
> > support
> > > by application platforms, but that doesn't change the fact that you
> > really
> > > shouldn't define your headers in the WSDL.
> > >
> > > By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> > > specifications (WS-Policy and WS-PolicyAttachments).
> > > See http://www.w3.org/Submission/2006/06/ .
> > >
> > >
> > >
> > > On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> > > >
> > > > Hi Stanley,
> > > >
> > > > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > > > yes, that's what I was referring
> > > > >
> > > > > I aksed Axis already, but do you know by chance if I am able to
> > generate
> > > > a WSDL
> > > > > that contains my own implicit headers using Axis 1.x?
> > > >
> > > > I don't think you can generate such a WSDL with Axis 1.x where is
> > > > defines headers to be included .... maybe an Axis 1.x expert can
> > > > please correct me on this of I'm wrong? (CCed to Axis-user list)
> > > >
> > > > Thanks,
> > > > Ruchith
> >
> > Stanimir Stanev (Stanley)
> > Senior Java Developer
> > Momentum SI, Austin TX
> > http://www.momentumsi.com
> > http://www.stanev.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Anne Thomas Manes <at...@gmail.com>.
WS-Policy. (i.e., use products that support WS-Policy)
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
>
> Anne,
>
> I am with you!
>
> first, WS-Policy has limited support yet
> second, shouldn't define our headers in the WSDL
>
> then, do you have an idea todays, how do we expose and in what form the
> bits
> that the infrastructure is responsible for implementing (i.e. headers) to
> the
> consumers
>
> thanks,
> Stan
>
> --- Anne Thomas Manes <at...@gmail.com> wrote:
>
> > Stanley,
> >
> > The WSDL should define the bits that the application code needs to know
> > about. It should *not* define the bits that the infrastructure (e.g.,
> > handlers and intermediaries) is responsible for implementing (i.e .,
> > headers). The infrastructure requirements should be defined using
> WS-Policy.
> >
> >
> > Now, admittedly, WS-Policy is not yet a standard, and it has limited
> support
> > by application platforms, but that doesn't change the fact that you
> really
> > shouldn't define your headers in the WSDL.
> >
> > By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> > specifications (WS-Policy and WS-PolicyAttachments).
> > See http://www.w3.org/Submission/2006/06/ .
> >
> >
> >
> > On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> > >
> > > Hi Stanley,
> > >
> > > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > > yes, that's what I was referring
> > > >
> > > > I aksed Axis already, but do you know by chance if I am able to
> generate
> > > a WSDL
> > > > that contains my own implicit headers using Axis 1.x?
> > >
> > > I don't think you can generate such a WSDL with Axis 1.x where is
> > > defines headers to be included .... maybe an Axis 1.x expert can
> > > please correct me on this of I'm wrong? (CCed to Axis-user list)
> > >
> > > Thanks,
> > > Ruchith
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
Re: WS-Security implicit header
Posted by Anne Thomas Manes <at...@gmail.com>.
WS-Policy. (i.e., use products that support WS-Policy)
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
>
> Anne,
>
> I am with you!
>
> first, WS-Policy has limited support yet
> second, shouldn't define our headers in the WSDL
>
> then, do you have an idea todays, how do we expose and in what form the
> bits
> that the infrastructure is responsible for implementing (i.e. headers) to
> the
> consumers
>
> thanks,
> Stan
>
> --- Anne Thomas Manes <at...@gmail.com> wrote:
>
> > Stanley,
> >
> > The WSDL should define the bits that the application code needs to know
> > about. It should *not* define the bits that the infrastructure (e.g.,
> > handlers and intermediaries) is responsible for implementing (i.e .,
> > headers). The infrastructure requirements should be defined using
> WS-Policy.
> >
> >
> > Now, admittedly, WS-Policy is not yet a standard, and it has limited
> support
> > by application platforms, but that doesn't change the fact that you
> really
> > shouldn't define your headers in the WSDL.
> >
> > By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> > specifications (WS-Policy and WS-PolicyAttachments).
> > See http://www.w3.org/Submission/2006/06/ .
> >
> >
> >
> > On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> > >
> > > Hi Stanley,
> > >
> > > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > > yes, that's what I was referring
> > > >
> > > > I aksed Axis already, but do you know by chance if I am able to
> generate
> > > a WSDL
> > > > that contains my own implicit headers using Axis 1.x?
> > >
> > > I don't think you can generate such a WSDL with Axis 1.x where is
> > > defines headers to be included .... maybe an Axis 1.x expert can
> > > please correct me on this of I'm wrong? (CCed to Axis-user list)
> > >
> > > Thanks,
> > > Ruchith
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
Re: WS-Security implicit header
Posted by Anne Thomas Manes <at...@gmail.com>.
WS-Policy. (i.e., use products that support WS-Policy)
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
>
> Anne,
>
> I am with you!
>
> first, WS-Policy has limited support yet
> second, shouldn't define our headers in the WSDL
>
> then, do you have an idea todays, how do we expose and in what form the
> bits
> that the infrastructure is responsible for implementing (i.e. headers) to
> the
> consumers
>
> thanks,
> Stan
>
> --- Anne Thomas Manes <at...@gmail.com> wrote:
>
> > Stanley,
> >
> > The WSDL should define the bits that the application code needs to know
> > about. It should *not* define the bits that the infrastructure (e.g.,
> > handlers and intermediaries) is responsible for implementing (i.e .,
> > headers). The infrastructure requirements should be defined using
> WS-Policy.
> >
> >
> > Now, admittedly, WS-Policy is not yet a standard, and it has limited
> support
> > by application platforms, but that doesn't change the fact that you
> really
> > shouldn't define your headers in the WSDL.
> >
> > By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> > specifications (WS-Policy and WS-PolicyAttachments).
> > See http://www.w3.org/Submission/2006/06/ .
> >
> >
> >
> > On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> > >
> > > Hi Stanley,
> > >
> > > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > > yes, that's what I was referring
> > > >
> > > > I aksed Axis already, but do you know by chance if I am able to
> generate
> > > a WSDL
> > > > that contains my own implicit headers using Axis 1.x?
> > >
> > > I don't think you can generate such a WSDL with Axis 1.x where is
> > > defines headers to be included .... maybe an Axis 1.x expert can
> > > please correct me on this of I'm wrong? (CCed to Axis-user list)
> > >
> > > Thanks,
> > > Ruchith
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
yes, that's exactly what I need, WS-Policy
I hope the things will move forward quicker and we'll have the tools supporintg
WS-Policy as WSS4J promised
thanks a lot,
Stan
--- Anne Thomas Manes <at...@gmail.com> wrote:
> Stanley,
>
> The WSDL should define the bits that the application code needs to know
> about. It should *not* define the bits that the infrastructure (e.g.,
> handlers and intermediaries) is responsible for implementing (i.e .,
> headers). The infrastructure requirements should be defined using WS-Policy.
>
>
> Now, admittedly, WS-Policy is not yet a standard, and it has limited support
> by application platforms, but that doesn't change the fact that you really
> shouldn't define your headers in the WSDL.
>
> By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> specifications (WS-Policy and WS-PolicyAttachments).
> See http://www.w3.org/Submission/2006/06/ .
>
>
>
> On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> >
> > Hi Stanley,
> >
> > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > yes, that's what I was referring
> > >
> > > I aksed Axis already, but do you know by chance if I am able to generate
> > a WSDL
> > > that contains my own implicit headers using Axis 1.x?
> >
> > I don't think you can generate such a WSDL with Axis 1.x where is
> > defines headers to be included .... maybe an Axis 1.x expert can
> > please correct me on this of I'm wrong? (CCed to Axis-user list)
> >
> > Thanks,
> > Ruchith
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
yes, that's exactly what I need, WS-Policy
I hope the things will move forward quicker and we'll have the tools supporintg
WS-Policy as WSS4J promised
thanks a lot,
Stan
--- Anne Thomas Manes <at...@gmail.com> wrote:
> Stanley,
>
> The WSDL should define the bits that the application code needs to know
> about. It should *not* define the bits that the infrastructure (e.g.,
> handlers and intermediaries) is responsible for implementing (i.e .,
> headers). The infrastructure requirements should be defined using WS-Policy.
>
>
> Now, admittedly, WS-Policy is not yet a standard, and it has limited support
> by application platforms, but that doesn't change the fact that you really
> shouldn't define your headers in the WSDL.
>
> By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> specifications (WS-Policy and WS-PolicyAttachments).
> See http://www.w3.org/Submission/2006/06/ .
>
>
>
> On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> >
> > Hi Stanley,
> >
> > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > yes, that's what I was referring
> > >
> > > I aksed Axis already, but do you know by chance if I am able to generate
> > a WSDL
> > > that contains my own implicit headers using Axis 1.x?
> >
> > I don't think you can generate such a WSDL with Axis 1.x where is
> > defines headers to be included .... maybe an Axis 1.x expert can
> > please correct me on this of I'm wrong? (CCed to Axis-user list)
> >
> > Thanks,
> > Ruchith
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
Anne,
I am with you!
first, WS-Policy has limited support yet
second, shouldn't define our headers in the WSDL
then, do you have an idea todays, how do we expose and in what form the bits
that the infrastructure is responsible for implementing (i.e. headers) to the
consumers
thanks,
Stan
--- Anne Thomas Manes <at...@gmail.com> wrote:
> Stanley,
>
> The WSDL should define the bits that the application code needs to know
> about. It should *not* define the bits that the infrastructure (e.g.,
> handlers and intermediaries) is responsible for implementing (i.e .,
> headers). The infrastructure requirements should be defined using WS-Policy.
>
>
> Now, admittedly, WS-Policy is not yet a standard, and it has limited support
> by application platforms, but that doesn't change the fact that you really
> shouldn't define your headers in the WSDL.
>
> By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> specifications (WS-Policy and WS-PolicyAttachments).
> See http://www.w3.org/Submission/2006/06/ .
>
>
>
> On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> >
> > Hi Stanley,
> >
> > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > yes, that's what I was referring
> > >
> > > I aksed Axis already, but do you know by chance if I am able to generate
> > a WSDL
> > > that contains my own implicit headers using Axis 1.x?
> >
> > I don't think you can generate such a WSDL with Axis 1.x where is
> > defines headers to be included .... maybe an Axis 1.x expert can
> > please correct me on this of I'm wrong? (CCed to Axis-user list)
> >
> > Thanks,
> > Ruchith
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
Anne,
I am with you!
first, WS-Policy has limited support yet
second, shouldn't define our headers in the WSDL
then, do you have an idea todays, how do we expose and in what form the bits
that the infrastructure is responsible for implementing (i.e. headers) to the
consumers
thanks,
Stan
--- Anne Thomas Manes <at...@gmail.com> wrote:
> Stanley,
>
> The WSDL should define the bits that the application code needs to know
> about. It should *not* define the bits that the infrastructure (e.g.,
> handlers and intermediaries) is responsible for implementing (i.e .,
> headers). The infrastructure requirements should be defined using WS-Policy.
>
>
> Now, admittedly, WS-Policy is not yet a standard, and it has limited support
> by application platforms, but that doesn't change the fact that you really
> shouldn't define your headers in the WSDL.
>
> By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
> specifications (WS-Policy and WS-PolicyAttachments).
> See http://www.w3.org/Submission/2006/06/ .
>
>
>
> On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
> >
> > Hi Stanley,
> >
> > On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > > yes, that's what I was referring
> > >
> > > I aksed Axis already, but do you know by chance if I am able to generate
> > a WSDL
> > > that contains my own implicit headers using Axis 1.x?
> >
> > I don't think you can generate such a WSDL with Axis 1.x where is
> > defines headers to be included .... maybe an Axis 1.x expert can
> > please correct me on this of I'm wrong? (CCed to Axis-user list)
> >
> > Thanks,
> > Ruchith
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Anne Thomas Manes <at...@gmail.com>.
Stanley,
The WSDL should define the bits that the application code needs to know
about. It should *not* define the bits that the infrastructure (e.g.,
handlers and intermediaries) is responsible for implementing (i.e .,
headers). The infrastructure requirements should be defined using WS-Policy.
Now, admittedly, WS-Policy is not yet a standard, and it has limited support
by application platforms, but that doesn't change the fact that you really
shouldn't define your headers in the WSDL.
By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
specifications (WS-Policy and WS-PolicyAttachments).
See http://www.w3.org/Submission/2006/06/ .
On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
>
> Hi Stanley,
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > yes, that's what I was referring
> >
> > I aksed Axis already, but do you know by chance if I am able to generate
> a WSDL
> > that contains my own implicit headers using Axis 1.x?
>
> I don't think you can generate such a WSDL with Axis 1.x where is
> defines headers to be included .... maybe an Axis 1.x expert can
> please correct me on this of I'm wrong? (CCed to Axis-user list)
>
> Thanks,
> Ruchith
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: WS-Security implicit header
Posted by Anne Thomas Manes <at...@gmail.com>.
Stanley,
The WSDL should define the bits that the application code needs to know
about. It should *not* define the bits that the infrastructure (e.g.,
handlers and intermediaries) is responsible for implementing (i.e .,
headers). The infrastructure requirements should be defined using WS-Policy.
Now, admittedly, WS-Policy is not yet a standard, and it has limited support
by application platforms, but that doesn't change the fact that you really
shouldn't define your headers in the WSDL.
By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
specifications (WS-Policy and WS-PolicyAttachments).
See http://www.w3.org/Submission/2006/06/ .
On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
>
> Hi Stanley,
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > yes, that's what I was referring
> >
> > I aksed Axis already, but do you know by chance if I am able to generate
> a WSDL
> > that contains my own implicit headers using Axis 1.x?
>
> I don't think you can generate such a WSDL with Axis 1.x where is
> defines headers to be included .... maybe an Axis 1.x expert can
> please correct me on this of I'm wrong? (CCed to Axis-user list)
>
> Thanks,
> Ruchith
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: WS-Security implicit header
Posted by Anne Thomas Manes <at...@gmail.com>.
Stanley,
The WSDL should define the bits that the application code needs to know
about. It should *not* define the bits that the infrastructure (e.g.,
handlers and intermediaries) is responsible for implementing (i.e .,
headers). The infrastructure requirements should be defined using WS-Policy.
Now, admittedly, WS-Policy is not yet a standard, and it has limited support
by application platforms, but that doesn't change the fact that you really
shouldn't define your headers in the WSDL.
By the way -- yesterday W3C acknowlegded the submission of the WS-Policy
specifications (WS-Policy and WS-PolicyAttachments).
See http://www.w3.org/Submission/2006/06/ .
On 4/27/06, Ruchith Fernando <ru...@gmail.com> wrote:
>
> Hi Stanley,
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > yes, that's what I was referring
> >
> > I aksed Axis already, but do you know by chance if I am able to generate
> a WSDL
> > that contains my own implicit headers using Axis 1.x?
>
> I don't think you can generate such a WSDL with Axis 1.x where is
> defines headers to be included .... maybe an Axis 1.x expert can
> please correct me on this of I'm wrong? (CCed to Axis-user list)
>
> Thanks,
> Ruchith
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: WS-Security implicit header
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Stanley,
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> yes, that's what I was referring
>
> I aksed Axis already, but do you know by chance if I am able to generate a WSDL
> that contains my own implicit headers using Axis 1.x?
I don't think you can generate such a WSDL with Axis 1.x where is
defines headers to be included .... maybe an Axis 1.x expert can
please correct me on this of I'm wrong? (CCed to Axis-user list)
Thanks,
Ruchith
Re: WS-Security implicit header
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Stanley,
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> yes, that's what I was referring
>
> I aksed Axis already, but do you know by chance if I am able to generate a WSDL
> that contains my own implicit headers using Axis 1.x?
I don't think you can generate such a WSDL with Axis 1.x where is
defines headers to be included .... maybe an Axis 1.x expert can
please correct me on this of I'm wrong? (CCed to Axis-user list)
Thanks,
Ruchith
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Stanley,
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> yes, that's what I was referring
>
> I aksed Axis already, but do you know by chance if I am able to generate a WSDL
> that contains my own implicit headers using Axis 1.x?
I don't think you can generate such a WSDL with Axis 1.x where is
defines headers to be included .... maybe an Axis 1.x expert can
please correct me on this of I'm wrong? (CCed to Axis-user list)
Thanks,
Ruchith
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Trouble when securing the response
Posted by ma...@fsb.se.
Hi
I have a working webservice (using axis) and I have successfully secured
the request to the server with the following deployment configurations:
Client
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="user" value="UserA"/>
<parameter name="passwordCallbackClass"
value="security.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoclient.properties"
/>
<parameter name="encryptionUser" value="UserB" />
</handler>
</requestFlow>
Server
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass"
value="sekerhet.PWCallback"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="cryptoserver.properties"
/>
</handler>
</requestFlow>
Cryptoclient.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=secretpassword
org.apache.ws.security.crypto.merlin.keystore.alias=UserA
org.apache.ws.security.crypto.merlin.file=UserAkeystore
Cryptoserver.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=secretpassword
org.apache.ws.security.crypto.merlin.keystore.alias=UserB
org.apache.ws.security.crypto.merlin.file=UserBkeystore
This works like a charm. The request is being signed, encrypted and
timestamped. So the next logical step was to do the same for the
response from the server. I extended the deployment descriptions on the
server and the client to the following:
Client
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="passwordCallbackClass"
value="security.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoclient.properties"
/>
</handler>
</responseFlow>
Server
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="user" value="UserB"/>
<parameter name="passwordCallbackClass"
value="sekerhet.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoserver.properties"
/>
<parameter name="encryptionUser" value="UserA" />
</handler>
</responseFlow>
When I view the http POST and the coresponding response it looks right.
I have attached the output in this mail. Unfortunate when the client
recievies the response and starts to verify the signing, timestamp and
decrypt the message a null pointer occures. I have debugged to the
method decryptDataRef in WSSecurityEngine. So the password and the
location of the private key works fine. When the
WSSecurityUtil.getElementByWsuId(wssConfig, doc, dataRefURI) is called a
null pointer occurs. Further debug shows that the null pointer occures
in the WSSecurityUtil class in the method findElementById(Node
startNode, String value, String namespace) where value is
EncDataId-17351095 and namespace
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
ty-1.0.xsd. The startnode is:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><wsu:Created>2006-04-27T09:38:38.454Z</wsu:Create
d><wsu:Expires>2006-04-27T09:43:38.454Z</wsu:Expires></wsu:Timestamp>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=UserA</ds:X509IssuerName>
<ds:X509SerialNumber>1141738619</ds:X509SerialNumber>
</ds:X509IssuerSerial></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>xfq+orbQx69rMT3jqirpSFJI3IyUfRwoKTAiW
ok8bSwd5ZQpf1qrpRVmGfd9j+PTmpP3iXfHzsh8
mFFAVaX8rztYqiMMxFsG1K2l8MkFGslGrGeu7VGal3oKaPfx5PZUBT1ItEOTY6XQ6PcOPcEj
NM6u
riWlELWgFq20Q+paQ4M=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference URI="#EncDataId-17351095"
/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-17351095">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>tPv0iDcb6Bwn2YVsYIO1qW7myKw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XraagTh/ZA5iUJeCjkxvlEJVbeJOFPv2yAG+Htf8nUGPSuE0rZ6tH1ysyIpIMOvDb9zfiMmv
3eCm
E8UtfaL8xLOCNykZH4CUuxDvF4j5LwSAnT/8mm5pEXhJWn9jgT27o3eE+bDrerEbTNXj4wxf
UEhS
KNz/+o2k0qdJe4U2JxA=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-2850754">
<wsse:SecurityTokenReference wsu:Id="STRId-30456965"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=UserB</ds:X509IssuerName>
<ds:X509SerialNumber>1141738621</ds:X509SerialNumber>
</ds:X509IssuerSerial></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
wsu:Id="id-17351095"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><xenc:EncryptedData Id="EncDataId-17351095"
Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/><xenc:CipherData><xenc:CipherValue>RQEuGbKefpDGgyk3hEsKSCI+OqtX7hvFJ+h
1mCTu6e3usrc9KvW5MlJAny9fxFNMWcRLYOXOJEir
s7kzX1hDC54HfrTZ1MkEOelZQ7eUkmjplWtSSphGeAVqvF2BWyvYsd+6oNqx3nEfap9mSnnR
rRwk
6I0bi546CU9wAEMCaz5U/hCua91mzASVZmg4XkQIvh7/AkB+stCAvuwyN03U0lwP8y5ZL13B
BHv6
eDxsn5o3Ltc7sMpOqjRjENaJp0FDd5wnbQOiAq+m1dHAzQHOuybOcQz/Lnj80Nve44t9MR+C
aV17
3kK08JcBp+wc42xUwQqzxB7oQ3TbNeSEjsjIq3gWtlSE9ULKGU1AWQB+WrRu6cy/V2czrOcu
7fMZ
Fxn/q/v5MTAIyIYTve7UZ7l/35WgJLIfmS63I7G43KsGgHptV5rHwIM2DFMDp7zBic3PbF7g
xi6e
d1sE5gMpH43kmWgoCiC0vi91rlUprIPbvOtRjFzpVeoUmIluFjToQYg0Ur26o1C7EXe1Y2oq
oiFT
6w4fBYbZRgVgSLTtEv1iM7c=</xenc:CipherValue></xenc:CipherData></xenc:Encr
yptedData></soapenv:Body></soapenv:Envelope>
I am guessing it tries to find the element right under the body for
decrypting the body. But I can't understund why it doesnt find it. The
EncDataId is there and the element also. Does anyone has any guess on
whats causing this?
Thanks
Markus
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
yes, that's what I was referring
I aksed Axis already, but do you know by chance if I am able to generate a WSDL
that contains my own implicit headers using Axis 1.x?
thanks Ruchith,
Stan
--- Ruchith Fernando <ru...@gmail.com> wrote:
> Hi Stanley,
>
> Are you referring to having security policy in the WSDL according to
> the security configurations for a certain service? (Example: [1])
>
> WS-Sec Policy support for WSS4J is going on right now ... and when
> this is completed you should be able to get this feature.
>
> Note that with Axis2, we can include service/operation level policies
> in the configuration files and these policies will appear in the
> generated WSDL , also with the new sec policy support these can be
> used to configure the security module of axis2.
>
> Thanks,
> Ruchith
>
> [1] http://soaphub.org/wspolicy2/Round3.wsdl
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > Hello all,
> >
> > I am trying to find out if it is possible to use Axis to generate a WSDL
> that
> > includes implicit security headers or in general any implicit headers.
> >
> > Does anybody have an idea?
> >
> > WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> > practice if the generated WSDL does not have information about the headers
> that
> > could be passed within the SOAP request. The WSDL is the contract after
> all.
> >
> > thanks a lot
> >
> > Stanimir Stanev (Stanley)
> > Senior Java Developer
> > Momentum SI, Austin TX
> > http://www.momentumsi.com
> > http://www.stanev.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Trouble when securing the response
Posted by ma...@fsb.se.
Hi
I have a working webservice (using axis) and I have successfully secured
the request to the server with the following deployment configurations:
Client
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="user" value="UserA"/>
<parameter name="passwordCallbackClass"
value="security.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoclient.properties"
/>
<parameter name="encryptionUser" value="UserB" />
</handler>
</requestFlow>
Server
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass"
value="sekerhet.PWCallback"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="cryptoserver.properties"
/>
</handler>
</requestFlow>
Cryptoclient.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=secretpassword
org.apache.ws.security.crypto.merlin.keystore.alias=UserA
org.apache.ws.security.crypto.merlin.file=UserAkeystore
Cryptoserver.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=secretpassword
org.apache.ws.security.crypto.merlin.keystore.alias=UserB
org.apache.ws.security.crypto.merlin.file=UserBkeystore
This works like a charm. The request is being signed, encrypted and
timestamped. So the next logical step was to do the same for the
response from the server. I extended the deployment descriptions on the
server and the client to the following:
Client
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="passwordCallbackClass"
value="security.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoclient.properties"
/>
</handler>
</responseFlow>
Server
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="user" value="UserB"/>
<parameter name="passwordCallbackClass"
value="sekerhet.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoserver.properties"
/>
<parameter name="encryptionUser" value="UserA" />
</handler>
</responseFlow>
When I view the http POST and the coresponding response it looks right.
I have attached the output in this mail. Unfortunate when the client
recievies the response and starts to verify the signing, timestamp and
decrypt the message a null pointer occures. I have debugged to the
method decryptDataRef in WSSecurityEngine. So the password and the
location of the private key works fine. When the
WSSecurityUtil.getElementByWsuId(wssConfig, doc, dataRefURI) is called a
null pointer occurs. Further debug shows that the null pointer occures
in the WSSecurityUtil class in the method findElementById(Node
startNode, String value, String namespace) where value is
EncDataId-17351095 and namespace
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
ty-1.0.xsd. The startnode is:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><wsu:Created>2006-04-27T09:38:38.454Z</wsu:Create
d><wsu:Expires>2006-04-27T09:43:38.454Z</wsu:Expires></wsu:Timestamp>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=UserA</ds:X509IssuerName>
<ds:X509SerialNumber>1141738619</ds:X509SerialNumber>
</ds:X509IssuerSerial></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>xfq+orbQx69rMT3jqirpSFJI3IyUfRwoKTAiW
ok8bSwd5ZQpf1qrpRVmGfd9j+PTmpP3iXfHzsh8
mFFAVaX8rztYqiMMxFsG1K2l8MkFGslGrGeu7VGal3oKaPfx5PZUBT1ItEOTY6XQ6PcOPcEj
NM6u
riWlELWgFq20Q+paQ4M=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference URI="#EncDataId-17351095"
/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-17351095">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>tPv0iDcb6Bwn2YVsYIO1qW7myKw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XraagTh/ZA5iUJeCjkxvlEJVbeJOFPv2yAG+Htf8nUGPSuE0rZ6tH1ysyIpIMOvDb9zfiMmv
3eCm
E8UtfaL8xLOCNykZH4CUuxDvF4j5LwSAnT/8mm5pEXhJWn9jgT27o3eE+bDrerEbTNXj4wxf
UEhS
KNz/+o2k0qdJe4U2JxA=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-2850754">
<wsse:SecurityTokenReference wsu:Id="STRId-30456965"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=UserB</ds:X509IssuerName>
<ds:X509SerialNumber>1141738621</ds:X509SerialNumber>
</ds:X509IssuerSerial></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
wsu:Id="id-17351095"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><xenc:EncryptedData Id="EncDataId-17351095"
Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/><xenc:CipherData><xenc:CipherValue>RQEuGbKefpDGgyk3hEsKSCI+OqtX7hvFJ+h
1mCTu6e3usrc9KvW5MlJAny9fxFNMWcRLYOXOJEir
s7kzX1hDC54HfrTZ1MkEOelZQ7eUkmjplWtSSphGeAVqvF2BWyvYsd+6oNqx3nEfap9mSnnR
rRwk
6I0bi546CU9wAEMCaz5U/hCua91mzASVZmg4XkQIvh7/AkB+stCAvuwyN03U0lwP8y5ZL13B
BHv6
eDxsn5o3Ltc7sMpOqjRjENaJp0FDd5wnbQOiAq+m1dHAzQHOuybOcQz/Lnj80Nve44t9MR+C
aV17
3kK08JcBp+wc42xUwQqzxB7oQ3TbNeSEjsjIq3gWtlSE9ULKGU1AWQB+WrRu6cy/V2czrOcu
7fMZ
Fxn/q/v5MTAIyIYTve7UZ7l/35WgJLIfmS63I7G43KsGgHptV5rHwIM2DFMDp7zBic3PbF7g
xi6e
d1sE5gMpH43kmWgoCiC0vi91rlUprIPbvOtRjFzpVeoUmIluFjToQYg0Ur26o1C7EXe1Y2oq
oiFT
6w4fBYbZRgVgSLTtEv1iM7c=</xenc:CipherValue></xenc:CipherData></xenc:Encr
yptedData></soapenv:Body></soapenv:Envelope>
I am guessing it tries to find the element right under the body for
decrypting the body. But I can't understund why it doesnt find it. The
EncDataId is there and the element also. Does anyone has any guess on
whats causing this?
Thanks
Markus
Re: WS-Security implicit header
Posted by Stanley Stanev <st...@yahoo.com>.
yes, that's what I was referring
I aksed Axis already, but do you know by chance if I am able to generate a WSDL
that contains my own implicit headers using Axis 1.x?
thanks Ruchith,
Stan
--- Ruchith Fernando <ru...@gmail.com> wrote:
> Hi Stanley,
>
> Are you referring to having security policy in the WSDL according to
> the security configurations for a certain service? (Example: [1])
>
> WS-Sec Policy support for WSS4J is going on right now ... and when
> this is completed you should be able to get this feature.
>
> Note that with Axis2, we can include service/operation level policies
> in the configuration files and these policies will appear in the
> generated WSDL , also with the new sec policy support these can be
> used to configure the security module of axis2.
>
> Thanks,
> Ruchith
>
> [1] http://soaphub.org/wspolicy2/Round3.wsdl
>
> On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> > Hello all,
> >
> > I am trying to find out if it is possible to use Axis to generate a WSDL
> that
> > includes implicit security headers or in general any implicit headers.
> >
> > Does anybody have an idea?
> >
> > WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> > practice if the generated WSDL does not have information about the headers
> that
> > could be passed within the SOAP request. The WSDL is the contract after
> all.
> >
> > thanks a lot
> >
> > Stanimir Stanev (Stanley)
> > Senior Java Developer
> > Momentum SI, Austin TX
> > http://www.momentumsi.com
> > http://www.stanev.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
Stanimir Stanev (Stanley)
Senior Java Developer
Momentum SI, Austin TX
http://www.momentumsi.com
http://www.stanev.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Stanley,
Are you referring to having security policy in the WSDL according to
the security configurations for a certain service? (Example: [1])
WS-Sec Policy support for WSS4J is going on right now ... and when
this is completed you should be able to get this feature.
Note that with Axis2, we can include service/operation level policies
in the configuration files and these policies will appear in the
generated WSDL , also with the new sec policy support these can be
used to configure the security module of axis2.
Thanks,
Ruchith
[1] http://soaphub.org/wspolicy2/Round3.wsdl
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> Hello all,
>
> I am trying to find out if it is possible to use Axis to generate a WSDL that
> includes implicit security headers or in general any implicit headers.
>
> Does anybody have an idea?
>
> WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> practice if the generated WSDL does not have information about the headers that
> could be passed within the SOAP request. The WSDL is the contract after all.
>
> thanks a lot
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Guy Rixon <gt...@ast.cam.ac.uk>.
I suspect that you'll have trouble making this work. The problem is that the
header isn't something included by the application code in the client;
instead, it needs to be generated by an Axis handler. If you mention a header
in the WSDL then Axis 1 gives you stubs with methods that take that
header-structure as a parameter. I dont know what Acxis 2 does about all this.
On Wed, 26 Apr 2006, Stanley Stanev wrote:
> Hello all,
>
> I am trying to find out if it is possible to use Axis to generate a WSDL that
> includes implicit security headers or in general any implicit headers.
>
> Does anybody have an idea?
>
> WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> practice if the generated WSDL does not have information about the headers that
> could be passed within the SOAP request. The WSDL is the contract after all.
>
> thanks a lot
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
Guy Rixon gtr@ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security implicit header
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Stanley,
Are you referring to having security policy in the WSDL according to
the security configurations for a certain service? (Example: [1])
WS-Sec Policy support for WSS4J is going on right now ... and when
this is completed you should be able to get this feature.
Note that with Axis2, we can include service/operation level policies
in the configuration files and these policies will appear in the
generated WSDL , also with the new sec policy support these can be
used to configure the security module of axis2.
Thanks,
Ruchith
[1] http://soaphub.org/wspolicy2/Round3.wsdl
On 4/27/06, Stanley Stanev <st...@yahoo.com> wrote:
> Hello all,
>
> I am trying to find out if it is possible to use Axis to generate a WSDL that
> includes implicit security headers or in general any implicit headers.
>
> Does anybody have an idea?
>
> WSS4J helps handling WS-Security implicit headers and IMHO it is not a good
> practice if the generated WSDL does not have information about the headers that
> could be passed within the SOAP request. The WSDL is the contract after all.
>
> thanks a lot
>
> Stanimir Stanev (Stanley)
> Senior Java Developer
> Momentum SI, Austin TX
> http://www.momentumsi.com
> http://www.stanev.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org