You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Martin Kuba <ma...@ics.muni.cz> on 2006/06/23 10:26:15 UTC
WS-Security in WSDL
Hi all,
I am trying to figure out how a WS-Security-enabled webservice
is marked in its WSDL, but after I have read all documentation
on WSS4J which I have found and after googling for an hour,
I still cannot find and answer. I even tried to read the
WS-Security spec itself, but I did not find it there.
The only piece of information that I found is in gSOAP WSSE
example, where the WSDL has the following added:
...
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
...
<message name="Header">
<part name="Security" element="wsse:Security"/>
</message>
...
<operation name="add">
<SOAP:operation style="rpc" soapAction=""/>
<input>
<SOAP:body ... />
<SOAP:header use="literal" message="tns:Header" part="Security"/>
</input>
...
but that seems to be incorrect, as the wsse:Security element schema
is not even imported. Also such specification only says that
a SOAP header element is needed, but it does not say
whether encryption or signature or username is needed.
Can somebody point me to more information, please ?
Thanks
Martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
Re: WS-Security in WSDL
Posted by Anne Thomas Manes <at...@gmail.com>.
WS-PolicyAttachment defines three mechanisms to associate WS-Policy
assertions with a service endpoint or service artifact:
- WSDL
- UDDI
- WS-Addressing
As far as I'm aware, no one method supercedes the others. Given that most
WSDL-enabled tools don't know how to interpret the <wsp:xxx> WSDL
extensions, I would discourage using the WSDL attachment mechanism for the
immediate future.
Other means to obtain policy information about a service endpoint:
- use WS-MetadataExchange
- query the endpoint URL appended with "?policy"
Neither of these conventions are widely supported, though.
Anne
On 6/23/06, Fred Dushin <fd...@iona.com> wrote:
>
> Yes, but you can also embed policy in WSDL, using WS-PolicyAttachment. (
> http://www.w3.org/Submission/WS-PolicyAttachment/)
>
> I thought this is actually *the* place to put it, if WSDL is the
> Web-Services equivalent of an IOR (if not a WS-Addressing endpoint
> reference).
>
> -Fred
>
>
> Anne Thomas Manes wrote:
>
> You really don't want to specify middleware control information in the
> WSDL. The more appropriate place to specify your security requirements is in
> a WS-Policy file using WS-SecurityPolicy.
>
> Anne
>
> On 6/23/06, Guy Rixon <gt...@ast.cam.ac.uk> wrote:
> >
> > Hi,
> >
> > AFAIK, there is no way to specify completely the WS-Security stuff in
> > WSDL.
> > It's a semantic problem. For the body parts, the semantics are simple
> > "send
> > this stuff in the message with the stated encoding". For the WS-Security
> >
> > header, the semantics vary according to the use of the header: "sign
> > digitally", "encode", "encode and sign" etc. Specifying the
> > wsse:Security
> > header itself is too ambiguous. It doesn't tell a code-generator or a
> > client what to do.
> >
> > However, suppose that you derived a schema that included those elements
> > from
> > WS-Security that were relevant to the actual use; e.g. just the elements
> > to
> > express a signature. This would have a new top-level element (derived by
> >
> > restriction from the basic wsse:Security?) that code generators and
> > dynamic clients might recognize. This might work for an in-house
> > solution; I
> > haven't thought it through in detail.
> >
> > On Fri, 23 Jun 2006, Martin Kuba wrote:
> >
> > > Hi all,
> > >
> > > I am trying to figure out how a WS-Security-enabled webservice
> > > is marked in its WSDL, but after I have read all documentation
> > > on WSS4J which I have found and after googling for an hour,
> > > I still cannot find and answer. I even tried to read the
> > > WS-Security spec itself, but I did not find it there.
> > >
> > > The only piece of information that I found is in gSOAP WSSE
> > > example, where the WSDL has the following added:
> > >
> > > ...
> > > xmlns:wsse="
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> > > ...
> > > <message name="Header">
> > > <part name="Security" element="wsse:Security"/>
> > > </message>
> > > ...
> > > <operation name="add">
> > > <SOAP:operation style="rpc" soapAction=""/>
> > > <input>
> > > <SOAP:body ... />
> > > <SOAP:header use="literal" message="tns:Header"
> > part="Security"/>
> > > </input>
> > > ...
> > >
> > > but that seems to be incorrect, as the wsse:Security element schema
> > > is not even imported. Also such specification only says that
> > > a SOAP header element is needed, but it does not say
> > > whether encryption or signature or username is needed.
> > >
> > > Can somebody point me to more information, please ?
> > >
> > > Thanks
> > >
> > > Martin
> > > --
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > Supercomputing Center Brno Martin Kuba
> > > Institute of Computer Science email: makub@ics.muni.cz
> > > Masaryk University http://www.ics.muni.cz/~makub/<http://www.ics.muni.cz/%7Emakub/>
> > > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> > > --------------------------------------------------------------
> > >
> >
> > Guy Rixon gtr@ast.cam.ac.uk
> > Institute of Astronomy Tel: +44-1223-337542
> > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
Re: WS-Security in WSDL
Posted by Anne Thomas Manes <at...@gmail.com>.
WS-PolicyAttachment defines three mechanisms to associate WS-Policy
assertions with a service endpoint or service artifact:
- WSDL
- UDDI
- WS-Addressing
As far as I'm aware, no one method supercedes the others. Given that most
WSDL-enabled tools don't know how to interpret the <wsp:xxx> WSDL
extensions, I would discourage using the WSDL attachment mechanism for the
immediate future.
Other means to obtain policy information about a service endpoint:
- use WS-MetadataExchange
- query the endpoint URL appended with "?policy"
Neither of these conventions are widely supported, though.
Anne
On 6/23/06, Fred Dushin <fd...@iona.com> wrote:
>
> Yes, but you can also embed policy in WSDL, using WS-PolicyAttachment. (
> http://www.w3.org/Submission/WS-PolicyAttachment/)
>
> I thought this is actually *the* place to put it, if WSDL is the
> Web-Services equivalent of an IOR (if not a WS-Addressing endpoint
> reference).
>
> -Fred
>
>
> Anne Thomas Manes wrote:
>
> You really don't want to specify middleware control information in the
> WSDL. The more appropriate place to specify your security requirements is in
> a WS-Policy file using WS-SecurityPolicy.
>
> Anne
>
> On 6/23/06, Guy Rixon <gt...@ast.cam.ac.uk> wrote:
> >
> > Hi,
> >
> > AFAIK, there is no way to specify completely the WS-Security stuff in
> > WSDL.
> > It's a semantic problem. For the body parts, the semantics are simple
> > "send
> > this stuff in the message with the stated encoding". For the WS-Security
> >
> > header, the semantics vary according to the use of the header: "sign
> > digitally", "encode", "encode and sign" etc. Specifying the
> > wsse:Security
> > header itself is too ambiguous. It doesn't tell a code-generator or a
> > client what to do.
> >
> > However, suppose that you derived a schema that included those elements
> > from
> > WS-Security that were relevant to the actual use; e.g. just the elements
> > to
> > express a signature. This would have a new top-level element (derived by
> >
> > restriction from the basic wsse:Security?) that code generators and
> > dynamic clients might recognize. This might work for an in-house
> > solution; I
> > haven't thought it through in detail.
> >
> > On Fri, 23 Jun 2006, Martin Kuba wrote:
> >
> > > Hi all,
> > >
> > > I am trying to figure out how a WS-Security-enabled webservice
> > > is marked in its WSDL, but after I have read all documentation
> > > on WSS4J which I have found and after googling for an hour,
> > > I still cannot find and answer. I even tried to read the
> > > WS-Security spec itself, but I did not find it there.
> > >
> > > The only piece of information that I found is in gSOAP WSSE
> > > example, where the WSDL has the following added:
> > >
> > > ...
> > > xmlns:wsse="
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> > > ...
> > > <message name="Header">
> > > <part name="Security" element="wsse:Security"/>
> > > </message>
> > > ...
> > > <operation name="add">
> > > <SOAP:operation style="rpc" soapAction=""/>
> > > <input>
> > > <SOAP:body ... />
> > > <SOAP:header use="literal" message="tns:Header"
> > part="Security"/>
> > > </input>
> > > ...
> > >
> > > but that seems to be incorrect, as the wsse:Security element schema
> > > is not even imported. Also such specification only says that
> > > a SOAP header element is needed, but it does not say
> > > whether encryption or signature or username is needed.
> > >
> > > Can somebody point me to more information, please ?
> > >
> > > Thanks
> > >
> > > Martin
> > > --
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > Supercomputing Center Brno Martin Kuba
> > > Institute of Computer Science email: makub@ics.muni.cz
> > > Masaryk University http://www.ics.muni.cz/~makub/<http://www.ics.muni.cz/%7Emakub/>
> > > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> > > --------------------------------------------------------------
> > >
> >
> > Guy Rixon gtr@ast.cam.ac.uk
> > Institute of Astronomy Tel: +44-1223-337542
> > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
Re: WS-Security in WSDL
Posted by Fred Dushin <fd...@iona.com>.
Yes, but you can also embed policy in WSDL, using WS-PolicyAttachment.
(http://www.w3.org/Submission/WS-PolicyAttachment/)
I thought this is actually *the* place to put it, if WSDL is the
Web-Services equivalent of an IOR (if not a WS-Addressing endpoint
reference).
-Fred
Anne Thomas Manes wrote:
> You really don't want to specify middleware control information in the
> WSDL. The more appropriate place to specify your security requirements
> is in a WS-Policy file using WS-SecurityPolicy.
>
> Anne
>
> On 6/23/06, *Guy Rixon* <gtr@ast.cam.ac.uk <ma...@ast.cam.ac.uk>>
> wrote:
>
> Hi,
>
> AFAIK, there is no way to specify completely the WS-Security stuff
> in WSDL.
> It's a semantic problem. For the body parts, the semantics are
> simple "send
> this stuff in the message with the stated encoding". For the
> WS-Security
> header, the semantics vary according to the use of the header: "sign
> digitally", "encode", "encode and sign" etc. Specifying the
> wsse:Security
> header itself is too ambiguous. It doesn't tell a code-generator or a
> client what to do.
>
> However, suppose that you derived a schema that included those
> elements from
> WS-Security that were relevant to the actual use; e.g. just the
> elements to
> express a signature. This would have a new top-level element
> (derived by
> restriction from the basic wsse:Security?) that code generators and
> dynamic clients might recognize. This might work for an in-house
> solution; I
> haven't thought it through in detail.
>
> On Fri, 23 Jun 2006, Martin Kuba wrote:
>
> > Hi all,
> >
> > I am trying to figure out how a WS-Security-enabled webservice
> > is marked in its WSDL, but after I have read all documentation
> > on WSS4J which I have found and after googling for an hour,
> > I still cannot find and answer. I even tried to read the
> > WS-Security spec itself, but I did not find it there.
> >
> > The only piece of information that I found is in gSOAP WSSE
> > example, where the WSDL has the following added:
> >
> > ...
> >
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > ...
> > <message name="Header">
> > <part name="Security" element="wsse:Security"/>
> > </message>
> > ...
> > <operation name="add">
> > <SOAP:operation style="rpc" soapAction=""/>
> > <input>
> > <SOAP:body ... />
> > <SOAP:header use="literal" message="tns:Header"
> part="Security"/>
> > </input>
> > ...
> >
> > but that seems to be incorrect, as the wsse:Security element schema
> > is not even imported. Also such specification only says that
> > a SOAP header element is needed, but it does not say
> > whether encryption or signature or username is needed.
> >
> > Can somebody point me to more information, please ?
> >
> > Thanks
> >
> > Martin
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Supercomputing Center Brno Martin Kuba
> > Institute of Computer Science email: makub@ics.muni.cz
> <ma...@ics.muni.cz>
> > Masaryk University http://www.ics.muni.cz/~makub/
> <http://www.ics.muni.cz/%7Emakub/>
> > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> > --------------------------------------------------------------
> >
>
> Guy Rixon gtr@ast.cam.ac.uk
> <ma...@ast.cam.ac.uk>
> Institute of Astronomy Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> <ma...@ws.apache.org>
>
>
Re: WS-Security in WSDL
Posted by Fred Dushin <fd...@iona.com>.
Yes, but you can also embed policy in WSDL, using WS-PolicyAttachment.
(http://www.w3.org/Submission/WS-PolicyAttachment/)
I thought this is actually *the* place to put it, if WSDL is the
Web-Services equivalent of an IOR (if not a WS-Addressing endpoint
reference).
-Fred
Anne Thomas Manes wrote:
> You really don't want to specify middleware control information in the
> WSDL. The more appropriate place to specify your security requirements
> is in a WS-Policy file using WS-SecurityPolicy.
>
> Anne
>
> On 6/23/06, *Guy Rixon* <gtr@ast.cam.ac.uk <ma...@ast.cam.ac.uk>>
> wrote:
>
> Hi,
>
> AFAIK, there is no way to specify completely the WS-Security stuff
> in WSDL.
> It's a semantic problem. For the body parts, the semantics are
> simple "send
> this stuff in the message with the stated encoding". For the
> WS-Security
> header, the semantics vary according to the use of the header: "sign
> digitally", "encode", "encode and sign" etc. Specifying the
> wsse:Security
> header itself is too ambiguous. It doesn't tell a code-generator or a
> client what to do.
>
> However, suppose that you derived a schema that included those
> elements from
> WS-Security that were relevant to the actual use; e.g. just the
> elements to
> express a signature. This would have a new top-level element
> (derived by
> restriction from the basic wsse:Security?) that code generators and
> dynamic clients might recognize. This might work for an in-house
> solution; I
> haven't thought it through in detail.
>
> On Fri, 23 Jun 2006, Martin Kuba wrote:
>
> > Hi all,
> >
> > I am trying to figure out how a WS-Security-enabled webservice
> > is marked in its WSDL, but after I have read all documentation
> > on WSS4J which I have found and after googling for an hour,
> > I still cannot find and answer. I even tried to read the
> > WS-Security spec itself, but I did not find it there.
> >
> > The only piece of information that I found is in gSOAP WSSE
> > example, where the WSDL has the following added:
> >
> > ...
> >
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > ...
> > <message name="Header">
> > <part name="Security" element="wsse:Security"/>
> > </message>
> > ...
> > <operation name="add">
> > <SOAP:operation style="rpc" soapAction=""/>
> > <input>
> > <SOAP:body ... />
> > <SOAP:header use="literal" message="tns:Header"
> part="Security"/>
> > </input>
> > ...
> >
> > but that seems to be incorrect, as the wsse:Security element schema
> > is not even imported. Also such specification only says that
> > a SOAP header element is needed, but it does not say
> > whether encryption or signature or username is needed.
> >
> > Can somebody point me to more information, please ?
> >
> > Thanks
> >
> > Martin
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Supercomputing Center Brno Martin Kuba
> > Institute of Computer Science email: makub@ics.muni.cz
> <ma...@ics.muni.cz>
> > Masaryk University http://www.ics.muni.cz/~makub/
> <http://www.ics.muni.cz/%7Emakub/>
> > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> > --------------------------------------------------------------
> >
>
> Guy Rixon gtr@ast.cam.ac.uk
> <ma...@ast.cam.ac.uk>
> Institute of Astronomy Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> <ma...@ws.apache.org>
>
>
Re: WS-Security in WSDL
Posted by Anne Thomas Manes <at...@gmail.com>.
You really don't want to specify middleware control information in the WSDL.
The more appropriate place to specify your security requirements is in a
WS-Policy file using WS-SecurityPolicy.
Anne
On 6/23/06, Guy Rixon <gt...@ast.cam.ac.uk> wrote:
>
> Hi,
>
> AFAIK, there is no way to specify completely the WS-Security stuff in
> WSDL.
> It's a semantic problem. For the body parts, the semantics are simple
> "send
> this stuff in the message with the stated encoding". For the WS-Security
> header, the semantics vary according to the use of the header: "sign
> digitally", "encode", "encode and sign" etc. Specifying the
> wsse:Security
> header itself is too ambiguous. It doesn't tell a code-generator or a
> client what to do.
>
> However, suppose that you derived a schema that included those elements
> from
> WS-Security that were relevant to the actual use; e.g. just the elements
> to
> express a signature. This would have a new top-level element (derived by
> restriction from the basic wsse:Security?) that code generators and
> dynamic clients might recognize. This might work for an in-house solution;
> I
> haven't thought it through in detail.
>
> On Fri, 23 Jun 2006, Martin Kuba wrote:
>
> > Hi all,
> >
> > I am trying to figure out how a WS-Security-enabled webservice
> > is marked in its WSDL, but after I have read all documentation
> > on WSS4J which I have found and after googling for an hour,
> > I still cannot find and answer. I even tried to read the
> > WS-Security spec itself, but I did not find it there.
> >
> > The only piece of information that I found is in gSOAP WSSE
> > example, where the WSDL has the following added:
> >
> > ...
> > xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > ...
> > <message name="Header">
> > <part name="Security" element="wsse:Security"/>
> > </message>
> > ...
> > <operation name="add">
> > <SOAP:operation style="rpc" soapAction=""/>
> > <input>
> > <SOAP:body ... />
> > <SOAP:header use="literal" message="tns:Header" part="Security"/>
> > </input>
> > ...
> >
> > but that seems to be incorrect, as the wsse:Security element schema
> > is not even imported. Also such specification only says that
> > a SOAP header element is needed, but it does not say
> > whether encryption or signature or username is needed.
> >
> > Can somebody point me to more information, please ?
> >
> > Thanks
> >
> > Martin
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Supercomputing Center Brno Martin Kuba
> > Institute of Computer Science email: makub@ics.muni.cz
> > Masaryk University http://www.ics.muni.cz/~makub/
> > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> > --------------------------------------------------------------
> >
>
> Guy Rixon gtr@ast.cam.ac.uk
> Institute of Astronomy Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: WS-Security in WSDL
Posted by Anne Thomas Manes <at...@gmail.com>.
You really don't want to specify middleware control information in the WSDL.
The more appropriate place to specify your security requirements is in a
WS-Policy file using WS-SecurityPolicy.
Anne
On 6/23/06, Guy Rixon <gt...@ast.cam.ac.uk> wrote:
>
> Hi,
>
> AFAIK, there is no way to specify completely the WS-Security stuff in
> WSDL.
> It's a semantic problem. For the body parts, the semantics are simple
> "send
> this stuff in the message with the stated encoding". For the WS-Security
> header, the semantics vary according to the use of the header: "sign
> digitally", "encode", "encode and sign" etc. Specifying the
> wsse:Security
> header itself is too ambiguous. It doesn't tell a code-generator or a
> client what to do.
>
> However, suppose that you derived a schema that included those elements
> from
> WS-Security that were relevant to the actual use; e.g. just the elements
> to
> express a signature. This would have a new top-level element (derived by
> restriction from the basic wsse:Security?) that code generators and
> dynamic clients might recognize. This might work for an in-house solution;
> I
> haven't thought it through in detail.
>
> On Fri, 23 Jun 2006, Martin Kuba wrote:
>
> > Hi all,
> >
> > I am trying to figure out how a WS-Security-enabled webservice
> > is marked in its WSDL, but after I have read all documentation
> > on WSS4J which I have found and after googling for an hour,
> > I still cannot find and answer. I even tried to read the
> > WS-Security spec itself, but I did not find it there.
> >
> > The only piece of information that I found is in gSOAP WSSE
> > example, where the WSDL has the following added:
> >
> > ...
> > xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > ...
> > <message name="Header">
> > <part name="Security" element="wsse:Security"/>
> > </message>
> > ...
> > <operation name="add">
> > <SOAP:operation style="rpc" soapAction=""/>
> > <input>
> > <SOAP:body ... />
> > <SOAP:header use="literal" message="tns:Header" part="Security"/>
> > </input>
> > ...
> >
> > but that seems to be incorrect, as the wsse:Security element schema
> > is not even imported. Also such specification only says that
> > a SOAP header element is needed, but it does not say
> > whether encryption or signature or username is needed.
> >
> > Can somebody point me to more information, please ?
> >
> > Thanks
> >
> > Martin
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Supercomputing Center Brno Martin Kuba
> > Institute of Computer Science email: makub@ics.muni.cz
> > Masaryk University http://www.ics.muni.cz/~makub/
> > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> > --------------------------------------------------------------
> >
>
> Guy Rixon gtr@ast.cam.ac.uk
> Institute of Astronomy Tel: +44-1223-337542
> Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
Re: WS-Security in WSDL
Posted by Guy Rixon <gt...@ast.cam.ac.uk>.
Hi,
AFAIK, there is no way to specify completely the WS-Security stuff in WSDL.
It's a semantic problem. For the body parts, the semantics are simple "send
this stuff in the message with the stated encoding". For the WS-Security
header, the semantics vary according to the use of the header: "sign
digitally", "encode", "encode and sign" etc. Specifying the wsse:Security
header itself is too ambiguous. It doesn't tell a code-generator or a
client what to do.
However, suppose that you derived a schema that included those elements from
WS-Security that were relevant to the actual use; e.g. just the elements to
express a signature. This would have a new top-level element (derived by
restriction from the basic wsse:Security?) that code generators and
dynamic clients might recognize. This might work for an in-house solution; I
haven't thought it through in detail.
On Fri, 23 Jun 2006, Martin Kuba wrote:
> Hi all,
>
> I am trying to figure out how a WS-Security-enabled webservice
> is marked in its WSDL, but after I have read all documentation
> on WSS4J which I have found and after googling for an hour,
> I still cannot find and answer. I even tried to read the
> WS-Security spec itself, but I did not find it there.
>
> The only piece of information that I found is in gSOAP WSSE
> example, where the WSDL has the following added:
>
> ...
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> ...
> <message name="Header">
> <part name="Security" element="wsse:Security"/>
> </message>
> ...
> <operation name="add">
> <SOAP:operation style="rpc" soapAction=""/>
> <input>
> <SOAP:body ... />
> <SOAP:header use="literal" message="tns:Header" part="Security"/>
> </input>
> ...
>
> but that seems to be incorrect, as the wsse:Security element schema
> is not even imported. Also such specification only says that
> a SOAP header element is needed, but it does not say
> whether encryption or signature or username is needed.
>
> Can somebody point me to more information, please ?
>
> Thanks
>
> Martin
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Supercomputing Center Brno Martin Kuba
> Institute of Computer Science email: makub@ics.muni.cz
> Masaryk University http://www.ics.muni.cz/~makub/
> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> --------------------------------------------------------------
>
Guy Rixon gtr@ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WS-Security in WSDL
Posted by Guy Rixon <gt...@ast.cam.ac.uk>.
Hi,
AFAIK, there is no way to specify completely the WS-Security stuff in WSDL.
It's a semantic problem. For the body parts, the semantics are simple "send
this stuff in the message with the stated encoding". For the WS-Security
header, the semantics vary according to the use of the header: "sign
digitally", "encode", "encode and sign" etc. Specifying the wsse:Security
header itself is too ambiguous. It doesn't tell a code-generator or a
client what to do.
However, suppose that you derived a schema that included those elements from
WS-Security that were relevant to the actual use; e.g. just the elements to
express a signature. This would have a new top-level element (derived by
restriction from the basic wsse:Security?) that code generators and
dynamic clients might recognize. This might work for an in-house solution; I
haven't thought it through in detail.
On Fri, 23 Jun 2006, Martin Kuba wrote:
> Hi all,
>
> I am trying to figure out how a WS-Security-enabled webservice
> is marked in its WSDL, but after I have read all documentation
> on WSS4J which I have found and after googling for an hour,
> I still cannot find and answer. I even tried to read the
> WS-Security spec itself, but I did not find it there.
>
> The only piece of information that I found is in gSOAP WSSE
> example, where the WSDL has the following added:
>
> ...
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> ...
> <message name="Header">
> <part name="Security" element="wsse:Security"/>
> </message>
> ...
> <operation name="add">
> <SOAP:operation style="rpc" soapAction=""/>
> <input>
> <SOAP:body ... />
> <SOAP:header use="literal" message="tns:Header" part="Security"/>
> </input>
> ...
>
> but that seems to be incorrect, as the wsse:Security element schema
> is not even imported. Also such specification only says that
> a SOAP header element is needed, but it does not say
> whether encryption or signature or username is needed.
>
> Can somebody point me to more information, please ?
>
> Thanks
>
> Martin
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Supercomputing Center Brno Martin Kuba
> Institute of Computer Science email: makub@ics.muni.cz
> Masaryk University http://www.ics.muni.cz/~makub/
> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> --------------------------------------------------------------
>
Guy Rixon gtr@ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org