You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Davide Romanini <d....@cineca.it> on 2005/06/23 15:48:43 UTC
Impose policies programmatically
Hi,
it would be nice to make some check regarding security on the SOAP
message. I refer specifically to impose some constraint about security
tokens used, message parts that are signed/encrypted. It's all about
WS-SecurityPolicy exists :-)
For now, sadly, we have no support for Policies. I'm anyway interested
for a way to impose the policies programmatically, using an Axis
handler, for example.
When a message arrives to the service, I'd want to firstly check:
- Is the message signed?
- What are the parts of message signed? (eg. I want exactly the Body
and the Timestamp to be signed).
- The token used for signing satisfies my requirements? (eg. is a X509
certificate? is the issuer what I want? are the subject name and
subjectkeyidentifier what I want?)
...and so on...
I looked around the code to find out if the information I need to check
my assertions from the MessageContext in the Handler chain. I would like
to write an Handler between WSDoAllReceiver and the real service. It
should read some things from the MessageContext and make decisions
(throw faults for example if an assertion is not satisfied).
The only variables I can find in the MessageContext after
WSDoAllReceiver are SND_SECURITY and RECV_RESULTS. The first contains
all the (partially) processed document. The latter seems to contain
informations about the Security processing, in the form of a Vector of
WSSecurityEngineResult. Seems to me that, at least for the signature, I
can check the cert used to sign, looking for WSSecurityEngineResult with
Action = WSConstants.SIGN and accessing the Certificate property. But
for other operations (like key/data encryption) the certificate is not
stored in that object.
Also I don't know how to check that specific parts of the message are
signed/encrypted, in some simple manner. Do I have to check this
"manually" using the SND_SECURITY Document?
Another question: there is a way to encrypt the message using asymmetric
key instead of attaching an EncryptedKey element in the security header?
Thanks in advance for suggestions!
Bye,
Davide Romanini