You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Anderson Jonathan <an...@bah.com> on 2004/02/27 01:07:07 UTC
A few questions for you guys...
Hey guys,
I like the new digs - it's good to see you guys back at Apache. :)
A few questions for anyone who cares to answer -
1) What's the deal with SOAP attachments? As far as I can tell the latest
Oasis WS-Security specification makes no mention of them at all, yet the
original Microsoft/IBM spec had a really brief blurb about them (Section
4.5.2, bullet item #2). After some fruitless googling, I thought maybe you
guys would know the full story. Is anybody considering signing or
encrypting SOAP attachments with WS-Security?
2) I'm trying to write some code that verifies that a valid signature
actually "covers" a set of required elements that we have. To do this I'm
having to dig down into the actual XML-Security SignedInfo References - and
even then I have not found an elegant way to do it. Right now I'm doing
something like:
List coveredElementNodes = new ArrayList();
for (int i=0; i < sig.getSignedInfo().getLength(); i++)
{
Reference ref = sig.getSignedInfo().item(i);
XMLSignatureInput input = ref.getContentsBeforeTransformation();
Set nodes = input.getNodeSet();
for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
{
Node node = (Node) iterator.next();
if (node.getNodeType() == Node.ELEMENT_NODE)
{
coveredElementNodes.add(node);
}
}
}
And then I simply to a coverElementNodes.contains() for every Element in the
DOM that I want to ensure has been signed. It's ugly, it's inefficient, and
I'm curious - is there a better way?
Any thoughts or advice would be appreciated.
Thanks,
-Jon
RE: A few questions for you guys...
Posted by Davanum Srinivas <di...@yahoo.com>.
Jon,
We could add code that is NOT part of the spec if we have cycles...(Hint: care to submit a patch?
:)
thanks,
dims
--- Anderson Jonathan <an...@bah.com> wrote:
> Thanks Dims. I'm going to assume then that attachments are now out of scope
> for the OASIS spec, and therefore for all OASIS spec implementations such as
> WSS4J.
>
> -Jon
>
> -----Original Message-----
> From: Davanum Srinivas [mailto:dims@yahoo.com]
> Sent: Friday, February 27, 2004 8:29 AM
> To: Anderson Jonathan; ws-fx-Dev
> Subject: Re: A few questions for you guys...
>
>
> See Issue #129
> (http://lists.oasis-open.org/archives/wss/200308/msg00053.html). I think the
> 2nd
> question needs to be asked on the xml-security dev mailing list :)
>
> -- dims
>
> --- Anderson Jonathan <an...@bah.com> wrote:
> > Hey guys,
> > I like the new digs - it's good to see you guys back at Apache. :)
> >
> > A few questions for anyone who cares to answer -
> >
> > 1) What's the deal with SOAP attachments? As far as I can tell the latest
> > Oasis WS-Security specification makes no mention of them at all, yet the
> > original Microsoft/IBM spec had a really brief blurb about them (Section
> > 4.5.2, bullet item #2). After some fruitless googling, I thought maybe
> you
> > guys would know the full story. Is anybody considering signing or
> > encrypting SOAP attachments with WS-Security?
> >
> > 2) I'm trying to write some code that verifies that a valid signature
> > actually "covers" a set of required elements that we have. To do this I'm
> > having to dig down into the actual XML-Security SignedInfo References -
> and
> > even then I have not found an elegant way to do it. Right now I'm doing
> > something like:
> >
> > List coveredElementNodes = new ArrayList();
> > for (int i=0; i < sig.getSignedInfo().getLength(); i++)
> > {
> > Reference ref = sig.getSignedInfo().item(i);
> > XMLSignatureInput input = ref.getContentsBeforeTransformation();
> > Set nodes = input.getNodeSet();
> > for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
> > {
> > Node node = (Node) iterator.next();
> > if (node.getNodeType() == Node.ELEMENT_NODE)
> > {
> > coveredElementNodes.add(node);
> > }
> > }
> > }
> >
> > And then I simply to a coverElementNodes.contains() for every Element in
> the
> > DOM that I want to ensure has been signed. It's ugly, it's inefficient,
> and
> > I'm curious - is there a better way?
> >
> > Any thoughts or advice would be appreciated.
> >
> > Thanks,
> > -Jon
> >
> >
>
>
> =====
> Davanum Srinivas - http://webservices.apache.org/~dims/
>
>
=====
Davanum Srinivas - http://webservices.apache.org/~dims/
RE: A few questions for you guys...
Posted by Anderson Jonathan <an...@bah.com>.
Thanks Dims. I'm going to assume then that attachments are now out of scope
for the OASIS spec, and therefore for all OASIS spec implementations such as
WSS4J.
-Jon
-----Original Message-----
From: Davanum Srinivas [mailto:dims@yahoo.com]
Sent: Friday, February 27, 2004 8:29 AM
To: Anderson Jonathan; ws-fx-Dev
Subject: Re: A few questions for you guys...
See Issue #129
(http://lists.oasis-open.org/archives/wss/200308/msg00053.html). I think the
2nd
question needs to be asked on the xml-security dev mailing list :)
-- dims
--- Anderson Jonathan <an...@bah.com> wrote:
> Hey guys,
> I like the new digs - it's good to see you guys back at Apache. :)
>
> A few questions for anyone who cares to answer -
>
> 1) What's the deal with SOAP attachments? As far as I can tell the latest
> Oasis WS-Security specification makes no mention of them at all, yet the
> original Microsoft/IBM spec had a really brief blurb about them (Section
> 4.5.2, bullet item #2). After some fruitless googling, I thought maybe
you
> guys would know the full story. Is anybody considering signing or
> encrypting SOAP attachments with WS-Security?
>
> 2) I'm trying to write some code that verifies that a valid signature
> actually "covers" a set of required elements that we have. To do this I'm
> having to dig down into the actual XML-Security SignedInfo References -
and
> even then I have not found an elegant way to do it. Right now I'm doing
> something like:
>
> List coveredElementNodes = new ArrayList();
> for (int i=0; i < sig.getSignedInfo().getLength(); i++)
> {
> Reference ref = sig.getSignedInfo().item(i);
> XMLSignatureInput input = ref.getContentsBeforeTransformation();
> Set nodes = input.getNodeSet();
> for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
> {
> Node node = (Node) iterator.next();
> if (node.getNodeType() == Node.ELEMENT_NODE)
> {
> coveredElementNodes.add(node);
> }
> }
> }
>
> And then I simply to a coverElementNodes.contains() for every Element in
the
> DOM that I want to ensure has been signed. It's ugly, it's inefficient,
and
> I'm curious - is there a better way?
>
> Any thoughts or advice would be appreciated.
>
> Thanks,
> -Jon
>
>
=====
Davanum Srinivas - http://webservices.apache.org/~dims/
Re: A few questions for you guys...
Posted by Davanum Srinivas <di...@yahoo.com>.
See Issue #129 (http://lists.oasis-open.org/archives/wss/200308/msg00053.html). I think the 2nd
question needs to be asked on the xml-security dev mailing list :)
-- dims
--- Anderson Jonathan <an...@bah.com> wrote:
> Hey guys,
> I like the new digs - it's good to see you guys back at Apache. :)
>
> A few questions for anyone who cares to answer -
>
> 1) What's the deal with SOAP attachments? As far as I can tell the latest
> Oasis WS-Security specification makes no mention of them at all, yet the
> original Microsoft/IBM spec had a really brief blurb about them (Section
> 4.5.2, bullet item #2). After some fruitless googling, I thought maybe you
> guys would know the full story. Is anybody considering signing or
> encrypting SOAP attachments with WS-Security?
>
> 2) I'm trying to write some code that verifies that a valid signature
> actually "covers" a set of required elements that we have. To do this I'm
> having to dig down into the actual XML-Security SignedInfo References - and
> even then I have not found an elegant way to do it. Right now I'm doing
> something like:
>
> List coveredElementNodes = new ArrayList();
> for (int i=0; i < sig.getSignedInfo().getLength(); i++)
> {
> Reference ref = sig.getSignedInfo().item(i);
> XMLSignatureInput input = ref.getContentsBeforeTransformation();
> Set nodes = input.getNodeSet();
> for (Iterator iterator = nodes.iterator(); iterator.hasNext();)
> {
> Node node = (Node) iterator.next();
> if (node.getNodeType() == Node.ELEMENT_NODE)
> {
> coveredElementNodes.add(node);
> }
> }
> }
>
> And then I simply to a coverElementNodes.contains() for every Element in the
> DOM that I want to ensure has been signed. It's ugly, it's inefficient, and
> I'm curious - is there a better way?
>
> Any thoughts or advice would be appreciated.
>
> Thanks,
> -Jon
>
>
=====
Davanum Srinivas - http://webservices.apache.org/~dims/