You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by jk...@netsys-it.de on 2004/09/13 16:07:57 UTC
Web Service Security and AXIS
Hi there,
I would like to propose to add a branch (well, a namespace)
to the sources containing some classes to facilitate
adding WSS features to the axis-SOAP-engine. The classes i wrote,
i wrote using apache xml security, so maybe i thought it would
be nice to add them either to the official source or to the samples.
I have the following use cases completed:
- signing of requests
- signing of responses
(both cases configurable if a JKS keystore or a PKCS12-container holds
the keys - it is certainly possible to implement a wider variety here!)
- simple verification of signed requests (actually this is pretty much
the same as the axis sample)
- simple verification of signed responses (actually this is pretty much
the same as the axis sample)
- configurable verification of requests/responses
- must the request/response be signed?
- must the certificate be trusted?
- must the certificate contain a CRLDP?
- must the CRL be accessible?
- ... this can certainly be extended with configuration options for
a finer grained policy.
The last variant is depending on the IAIK crypto provider (because of its
inbuilt support for easily retrieving and checking of CRLs)
The Encryption support currently is being tested. There is only one use case
as of yet:
- responses to signed requests are encrypted using the public key found
in the certificate, nodes to encrypt are selected based on xpath
expressions
specified in the server-config.wsdd.
Do you think, this could be an useful extension of project xml-security?
I am a little hesitant, because it hinges on two dependencies: axis and
xml-security - do you think it would be better off below axis?
Juergen Key
Re: Web Service Security and AXIS
Posted by Davanum Srinivas <da...@gmail.com>.
Juergen,
did you look at http://ws.apache.org/ws-fx/wss4j/ ???
-- dims
On Mon, 13 Sep 2004 16:07:57 +0200 (CEST), jkey@netsys-it.de
<jk...@netsys-it.de> wrote:
> Hi there,
>
> I would like to propose to add a branch (well, a namespace)
> to the sources containing some classes to facilitate
> adding WSS features to the axis-SOAP-engine. The classes i wrote,
> i wrote using apache xml security, so maybe i thought it would
> be nice to add them either to the official source or to the samples.
>
> I have the following use cases completed:
> - signing of requests
> - signing of responses
> (both cases configurable if a JKS keystore or a PKCS12-container holds
> the keys - it is certainly possible to implement a wider variety here!)
> - simple verification of signed requests (actually this is pretty much
> the same as the axis sample)
> - simple verification of signed responses (actually this is pretty much
> the same as the axis sample)
> - configurable verification of requests/responses
> - must the request/response be signed?
> - must the certificate be trusted?
> - must the certificate contain a CRLDP?
> - must the CRL be accessible?
> - ... this can certainly be extended with configuration options for
> a finer grained policy.
> The last variant is depending on the IAIK crypto provider (because of its
> inbuilt support for easily retrieving and checking of CRLs)
>
> The Encryption support currently is being tested. There is only one use case
> as of yet:
> - responses to signed requests are encrypted using the public key found
> in the certificate, nodes to encrypt are selected based on xpath
> expressions
> specified in the server-config.wsdd.
>
> Do you think, this could be an useful extension of project xml-security?
> I am a little hesitant, because it hinges on two dependencies: axis and
> xml-security - do you think it would be better off below axis?
>
> Juergen Key
>
--
Davanum Srinivas - http://webservices.apache.org/~dims/