You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Tim Julien <ti...@oracle.com> on 2003/08/06 23:06:32 UTC

WS Security using xmlsec?

Hi,

Has anyone working one the xmlsec project taken a look at WS Security (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) and its use of xml enc and xml sig?  I'm curious if the xmlsec project has this spec in mind as a use case, or if anyone has tried to write a WS Security implementation using xmlsec.

Tim Julien

Re: WS Security using xmlsec?

Posted by Berin Lautenbach <be...@ozemail.com.au>.

Tim,

There is also a proposal within the Web Services project to look at this

http://nagoya.apache.org/wiki/apachewiki.cgi?SecurityProposal

Cheers,
	Berin


Axl Mattheus wrote:
> Tim,
> 
> The (EA) XWS Security component of JWSDP1.2 is based on WSS. XWS is used 
> to sign (and encrypt) SOAP messages. The next release of JWSDP (early 
> next year I think) will have more complete implementation of the WSS spec.
> 
> Ax/
> 
> Tim Julien wrote:
> 
>> Hi,
>>
>> Has anyone working one the xmlsec project taken a look at WS Security 
>> (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) and 
>> its use of xml enc and xml sig?  I'm curious if the xmlsec project has 
>> this spec in mind as a use case, or if anyone has tried to write a WS 
>> Security implementation using xmlsec.
>>
>> Tim Julien
>>
>>
>>  
>>
> 
> 
>

Re: WS Security using xmlsec?

Posted by Tim Julien <ti...@oracle.com>.

Both of those look very promising - that is the kind of thing i was looking for - I'll check out the 105 public draft.

thanks,
Tim Julien

Sean Mullan wrote:

> Tim Julien wrote:
> > Thanks - thats exactly what I was looking for.
> >
> > I'm curious how the developers of xmlsec see WS Security implementations using xmlsec.  The challenge I see is that WS Security defines new children of <ds:KeyInfo>, and also uses <ds:KeyName> in a strange way (I think).  There are probably many more such examples.  Because of these challenges, it could be difficult to use an XML Sig and XML Enc implementation (i.e., apache xmlsec) to do much more than parsing and encrypting/decrypting raw byte []  (If you look at what JWSDP1.2 does, it is essentially this) .  Nice things, like passing xmlsec the contents of a <wsse:Security> header and asking it for the X509Certificate aren't really possible (then again - maybe this is really beyond the scope of xmlsec).
> >
> > One possible way to address this may be to provide users of xmlsec the ability to plug in handlers for elements xmlsec does not understand.
> >
> > If anyone on JSR 105 or 106 is lurking on this list, I'm curious if this issue has come up in the expert group so far.
>
> I'm lurking (I'm co-spec lead of JSR 105).
>
> I'm not sure if I'm answering your questions/concerns without some more context, but JSR 105
> provides a couple of things that might be what you are looking for:
>
> 1) a KeySelector interface, the purpose of which is to allow you to develop
> an implementation that finds a validation key (and also return more
> information such as an X.509 certificate) given a KeyInfo element.
>
> 2) support for any types through the XMLStructure/DOMStructure classes. This
> for example allows you to define your own KeyInfo types or ds:Object types.
>
> See http://jcp.org/en/jsr/detail?id=105 for more information and to download
> a copy of the public draft.
>
> --Sean
>
> >
> > Tim Julien
> >
> >
> > Axl Mattheus wrote:
> >
> >
> >>Tim,
> >>
> >>The (EA) XWS Security component of JWSDP1.2 is based on WSS. XWS is used
> >>to sign (and encrypt) SOAP messages. The next release of JWSDP (early
> >>next year I think) will have more complete implementation of the WSS spec.
> >>
> >>Ax/
> >>
> >>Tim Julien wrote:
> >>
> >>
> >>>Hi,
> >>>
> >>>Has anyone working one the xmlsec project taken a look at WS Security (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) and its use of xml enc and xml sig?  I'm curious if the xmlsec project has this spec in mind as a use case, or if anyone has tried to write a WS Security implementation using xmlsec.
> >>>
> >>>Tim Julien
> >>>
> >>>
> >>>
> >>>
> >
> >

Re: WS Security using xmlsec?

Posted by Sean Mullan <se...@sun.com>.

Tim Julien wrote:
> Thanks - thats exactly what I was looking for.
> 
> I'm curious how the developers of xmlsec see WS Security implementations using xmlsec.  The challenge I see is that WS Security defines new children of <ds:KeyInfo>, and also uses <ds:KeyName> in a strange way (I think).  There are probably many more such examples.  Because of these challenges, it could be difficult to use an XML Sig and XML Enc implementation (i.e., apache xmlsec) to do much more than parsing and encrypting/decrypting raw byte []  (If you look at what JWSDP1.2 does, it is essentially this) .  Nice things, like passing xmlsec the contents of a <wsse:Security> header and asking it for the X509Certificate aren't really possible (then again - maybe this is really beyond the scope of xmlsec).
> 
> One possible way to address this may be to provide users of xmlsec the ability to plug in handlers for elements xmlsec does not understand.
> 
> If anyone on JSR 105 or 106 is lurking on this list, I'm curious if this issue has come up in the expert group so far.

I'm lurking (I'm co-spec lead of JSR 105).

I'm not sure if I'm answering your questions/concerns without some more context, but JSR 105
provides a couple of things that might be what you are looking for:

1) a KeySelector interface, the purpose of which is to allow you to develop
an implementation that finds a validation key (and also return more
information such as an X.509 certificate) given a KeyInfo element.

2) support for any types through the XMLStructure/DOMStructure classes. This
for example allows you to define your own KeyInfo types or ds:Object types.

See http://jcp.org/en/jsr/detail?id=105 for more information and to download
a copy of the public draft.

--Sean

> 
> Tim Julien
> 
> 
> Axl Mattheus wrote:
> 
> 
>>Tim,
>>
>>The (EA) XWS Security component of JWSDP1.2 is based on WSS. XWS is used
>>to sign (and encrypt) SOAP messages. The next release of JWSDP (early
>>next year I think) will have more complete implementation of the WSS spec.
>>
>>Ax/
>>
>>Tim Julien wrote:
>>
>>
>>>Hi,
>>>
>>>Has anyone working one the xmlsec project taken a look at WS Security (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) and its use of xml enc and xml sig?  I'm curious if the xmlsec project has this spec in mind as a use case, or if anyone has tried to write a WS Security implementation using xmlsec.
>>>
>>>Tim Julien
>>>
>>>
>>>
>>>
> 
>

Re: WS Security using xmlsec?

Posted by Tim Julien <ti...@oracle.com>.

Thanks - thats exactly what I was looking for.

I'm curious how the developers of xmlsec see WS Security implementations using xmlsec.  The challenge I see is that WS Security defines new children of <ds:KeyInfo>, and also uses <ds:KeyName> in a strange way (I think).  There are probably many more such examples.  Because of these challenges, it could be difficult to use an XML Sig and XML Enc implementation (i.e., apache xmlsec) to do much more than parsing and encrypting/decrypting raw byte []  (If you look at what JWSDP1.2 does, it is essentially this) .  Nice things, like passing xmlsec the contents of a <wsse:Security> header and asking it for the X509Certificate aren't really possible (then again - maybe this is really beyond the scope of xmlsec).

One possible way to address this may be to provide users of xmlsec the ability to plug in handlers for elements xmlsec does not understand.

If anyone on JSR 105 or 106 is lurking on this list, I'm curious if this issue has come up in the expert group so far.

Tim Julien

Axl Mattheus wrote:

> Tim,
>
> The (EA) XWS Security component of JWSDP1.2 is based on WSS. XWS is used
> to sign (and encrypt) SOAP messages. The next release of JWSDP (early
> next year I think) will have more complete implementation of the WSS spec.
>
> Ax/
>
> Tim Julien wrote:
>
> >Hi,
> >
> >Has anyone working one the xmlsec project taken a look at WS Security (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) and its use of xml enc and xml sig?  I'm curious if the xmlsec project has this spec in mind as a use case, or if anyone has tried to write a WS Security implementation using xmlsec.
> >
> >Tim Julien
> >
> >
> >
> >

Re: WS Security using xmlsec?

Posted by Axl Mattheus <Ax...@Sun.COM>.

Tim,

The (EA) XWS Security component of JWSDP1.2 is based on WSS. XWS is used 
to sign (and encrypt) SOAP messages. The next release of JWSDP (early 
next year I think) will have more complete implementation of the WSS spec.

Ax/

Tim Julien wrote:

>Hi,
>
>Has anyone working one the xmlsec project taken a look at WS Security (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) and its use of xml enc and xml sig?  I'm curious if the xmlsec project has this spec in mind as a use case, or if anyone has tried to write a WS Security implementation using xmlsec.
>
>Tim Julien
>
>
>  
>