You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/02/25 12:33:25 UTC
svn commit: r1571651 - in /webservices/wss4j/site/src/site/xdoc:
attachments.xml newfeatures20.xml user_guide.xml
Author: coheigea
Date: Tue Feb 25 11:33:25 2014
New Revision: 1571651
URL: http://svn.apache.org/r1571651
Log:
Adding information on securing attachments to the user guide
Added:
webservices/wss4j/site/src/site/xdoc/attachments.xml
Modified:
webservices/wss4j/site/src/site/xdoc/newfeatures20.xml
webservices/wss4j/site/src/site/xdoc/user_guide.xml
Added: webservices/wss4j/site/src/site/xdoc/attachments.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/attachments.xml?rev=1571651&view=auto
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/attachments.xml (added)
+++ webservices/wss4j/site/src/site/xdoc/attachments.xml Tue Feb 25 11:33:25 2014
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<document>
+<body>
+<section name="Securing message attachments">
+<p>
+WSS4J 2.0.0 introduces support for signing and encrypting SOAP message
+attachments, via the the SOAP with Attachments (SWA) Profile 1.1 specification.
+There is no support in WSS4J 1.6.x for signing or encrypting message
+attachments. Attachments can be signed and encrypted in WSS4J via either the
+"action"-based approach or via WS-SecurityPolicy, as covered in the sections
+below.
+</p>
+<p>
+The message attachment streams must be supplied to WSS4J for
+signature/encryption via a CallbackHandler approach. An
+AttachmentRequestCallback Object is used to retrieve either a particular
+Attachment (on the receiving side), or all attachments (on the sending side).
+The user must implement a CallbackHandler that sets a list of Attachments
+matching this request on the Callback. Correspondingly, there is also a
+AttachmentResponseCallback, which represents the secured/processed Attachment.
+</p>
+<p>
+The good news is that if you are using Apache CXF then all of this is taken
+care of automatically by a CallbackHandler that retrieves and sets CXF message
+attachments. Therefore if you are using CXF then you can sign/encrypt message
+attachments just by setting the configuration detailed in the next couple of
+sections.
+</p>
+
+<subsection name="Securing message attachments via the action approach">
+<p>
+With the "action" approach to using WSS4J, the user specifies the parts to
+sign or encrypt via the following configuration tags:
+</p>
+<ul>
+<li>ConfigurationConstants.SIGNATURE_PARTS ("signatureParts")</li>
+<li>ConfigurationConstants.ENCRYPTION_PARTS ("encryptionParts")</li>
+</ul>
+<p>
+The value of these tags is a String in a special format that looks something
+like "{Content}{http://example.org/paymentv2}CreditCard"
+({modifier}{namespace}localname). In WSS4J 2.0.0, it is possible to
+sign/encrypt all of the attachments by specifying the following as part of
+signatureParts/encryptionParts: "{}cid:Attachments;". Note that this signs or
+encrypts all of the attachments, it is not possible to only sign/encrypt
+individual attachments.
+</p>
+</subsection>
+
+<subsection name="Securing message attachments via WS-SecurityPolicy">
+<p>
+An easier way to use WSS4J is in conjunction with a web services stack such as
+Apache CXF and a WS-SecurityPolicy-based policy. It is possible to sign/encrypt
+all attachments by adding a "sp:Attachments" policy as a child of either a
+"sp:SignedParts" or "sp:EncryptedParts" policy. In addition, the
+"sp:Attachments" policy for SignedParts only has two optional child policies
+called "sp13:ContentSignatureTransform" and
+"sp13:AttachmentCompleteSignatureTransform", which dictate whether the
+attachment headers are included or not in the Signature.
+</p>
+</subsection>
+
+</section>
+</body>
+</document>
Modified: webservices/wss4j/site/src/site/xdoc/newfeatures20.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/newfeatures20.xml?rev=1571651&r1=1571650&r2=1571651&view=diff
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/newfeatures20.xml (original)
+++ webservices/wss4j/site/src/site/xdoc/newfeatures20.xml Tue Feb 25 11:33:25 2014
@@ -8,8 +8,8 @@
Apache WSS4J 2.0.0 delivers the following major new features:
</p>
<ul>
-<li>Support for a <a href="streaming.html">streaming</a> (StAX) based
-WS-Security implementation that covers all of the main specifications.</li>
+<li>Support for a streaming (StAX) based WS-Security implementation that
+covers all of the main specifications.</li>
<li>A WS-SecurityPolicy model that can be shared between both DOM + StAX
implementations.</li>
<li>Support for "real-time" WS-SecurityPolicy validation for the StAX
@@ -21,6 +21,30 @@ implementation.</li>
</ul>
</subsection>
+<subsection name="Streaming (StAX) based WS-Security implementation">
+<p>
+WSS4J 2.0.0 introduces a new streaming (StAX) based WS-Security implementation.
+Please see the dedicated <a href="streaming.html">page</a> for more
+information.
+</p>
+</subsection>
+
+<subsection name="WS-SecurityPolicy support">
+<p>
+TODO.
+</p>
+</subsection>
+
+<subsection name="Support for signing and encrypting message attachments">
+<p>
+WSS4J 2.0.0 introduces support for signing and encrypting SOAP message
+attachments, via the the SOAP with Attachments (SWA) Profile 1.1 specification.
+Please see the dedicated <a href="attachments.html">page</a> for more
+information.
+</p>
+</subsection>
+
+
<subsection name="Replay Attack detection using EhCache">
<p>
In WSS4J 1.6.x, a "ReplayCache" interface was introduced to cache tokens to
Modified: webservices/wss4j/site/src/site/xdoc/user_guide.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/site/src/site/xdoc/user_guide.xml?rev=1571651&r1=1571650&r2=1571651&view=diff
==============================================================================
--- webservices/wss4j/site/src/site/xdoc/user_guide.xml (original)
+++ webservices/wss4j/site/src/site/xdoc/user_guide.xml Tue Feb 25 11:33:25 2014
@@ -11,6 +11,7 @@ by WSS4J and how to configure it.
<li><a href="config.html">WSS4J Configuration</a></li>
<li><a href="newfeatures20.html">WSS4J 2.0.0 New Features</a></li>
<li><a href="streaming.html">Streaming WS-Security support</a></li>
+<li><a href="attachments.html">Securing message attachments</a></li>
<li><a href="migration.html">WSS4J 2.0.0 Migration Guide</a></li>
<li><a href="wss4j16.html">WSS4J 1.6.0 Migration Guide</a></li>
<li><a href="topics.html">Special Topics</a></li>