You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Anderson Jonathan <an...@bah.com> on 2004/03/25 19:51:40 UTC
The Axis 1.2 SOAPPart dependency issue... again
Werner, Dims, all,
I know I'm beating a dead horse here guys but I need to make sure that I
understand this issue correctly, as we need to justify the Axis 1.2
dependency. Seems there are quite a few people out there with Axis 1.1 in
production (though I use the term "production" lightly, most of the work
with SOAP right now is still proof of concept), and for whatever reason
there are hesitancies to upgrade to 1.2 solely to add digital signatures to
the SOAP.
So - even if we can guarantee that the handler performing the signing is the
last handler in the chain, Axis 1.1 could potentially reserialize the
message again, destroying the signature, right?
The 1.2 way, which prevents further reserialization:
ByteArrayOutputStream os = new ByteArrayOutputStream();
XMLUtils.outputDOM(doc, os, true);
String osStr = os.toString();
//Axis 1.2 specific
soapPart.setCurrentMessage(osStr, SOAPPart.FORM_STRING);
The 1.1 way, which is allows the message to be potentially reserialized by
Axis, despite the signing handler being last in the outbound chain:
org.apache.axis.Message m =
(org.apache.axis.Message)AxisUtil.toSOAPMessage(doc);
messageContext.setCurrentMessage(m);
Are those statements correct? If so, can you elaborate/clarify on when this
could happen? From Werner's reply to Richard Baker from Solers, I've
gleaned the following scenarios for reserialization:
1) If you have attached an attachment
2) If you have complex datatypes in your message and multi-refs are enabled
Are these accurate? Are there any others?
-Jon
-----Original Message-----
From: Dittmann Werner [mailto:werner.dittmann@siemens.com]
Sent: Friday, March 05, 2004 2:13 AM
To: 'Baker, Richard'; 'dims@yahoo.com'; fx-dev@ws.apache.org
Subject: AW: changes for: wss4j with axis-1.1 integrated with WASP 4.7
All,
after checking the proposed diff I've several remarks:
The changes proposed for WSDoAll*() shall not be done.
We explicitly made the
SOAPPart.setMessageContent(int, String) public in
Axis 1.2 because we needed it that way. It is necessary to
use this method to supress an additional serialization
from DOC format to string (that's why we serialize it in the
handler and set it as FORM_STRING). If Axis would serialize
the SOAP request again _after_ it was signed this could
destroy the signature because Axis may modify the content
(SOAP Body) of the SOAP request during serialization. This
can happen if you have SOAP with Attachements or complex
datatypes and Axis uses mutli-refs. It was a quite long
resarch to figure it out :-).
About the namespaces and value identifiers etc.: these
were changed recently (last Sunday) to be in line with
the current status of the OASIS WSS specification. There
was a discussion about that topic that last two days on
this mialing list. Seems that WASP is not yet following
the latest specs.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: Baker, Richard [mailto:Rich.Baker@solers.com]
> Gesendet: Donnerstag, 4. März 2004 20:07
> An: 'dims@yahoo.com'; fx-dev@ws.apache.org
> Betreff: RE: changes for: wss4j with axis-1.1 integrated with WASP 4.7
>
>
> Here is a cvs diff -u
>
> -----Original Message-----
> From: Davanum Srinivas [mailto:dims@yahoo.com]
> Sent: Thursday, March 04, 2004 2:05 PM
> To: Baker, Richard; fx-dev@ws.apache.org
> Subject: Re: changes for: wss4j with axis-1.1 integrated with WASP 4.7
>
>
> Rich,
>
> Can you please send a "cvs diff -u"?
>
> thanks,
> dims
>
> --- "Baker, Richard" <Ri...@solers.com> wrote:
> >
> > Attached is a diff for changes I have made to wss4j to get
> it to compile
> and
> > run under axis-1.1, and integrate with WASP 4.7. The
> majority of the
> > changes are:
> >
> > - WSDoAllSender and WSDoAllReceiver both attempt to call
> > SOAPPart.setMessageContent(int, String) which is a private method in
> > axis-1.1.
> >
> > - The wsse and wsu namespace definitions were referencing
> > http://www.docs.oasis-open.org URLs that are not supported by WASP.
> Changed
> > them to reference their equivalent http://schemas.xmlsoap.org URLs.
> >
> > <<wss4j_diff.txt>>
> >
> > Rich Baker
> > Software Engineer
> > Solers, Inc.
> > 1611 N. Kent St., Suite 700
> > Arlington, VA 22209
> > Telephone: 703.841.6121
> > Fax: 703.908.9353
> >
> > > Index: org/apache/ws/axis/security/WSDoAllReceiver.java
> > ===================================================================
> > RCS file:
> /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/axis/security/WS
> DoAllReceiver.
> java,v
> > retrieving revision 1.2
> > diff -r1.2 WSDoAllReceiver.java
> > 68c68
> > < *
> > ---
> > > *
> > 70c70
> > < * @throws AxisFault
> > ---
> > > * @throws AxisFault
> > 104,105c104,105
> > < if
> (headerElement.getLocalName().equals(WSConstants.WSSE_LN)
> > < &&
> headerElement.getNamespaceURI().equals(WSConstants.WSSE_NS)) {
> > ---
> > > if
> (headerElement.getElementName().getLocalName().equals(WSConsta
> nts.WSSE_LN)
> > > &&
> headerElement.getElementName().getURI().equals(WSConstants.WSSE_NS)) {
> > 111c111
> > < log.debug("Header found: " +
> headerElement.getLocalName());
> > ---
> > > log.debug("Header found: " +
> headerElement.getElementName().getLocalName());
> > 116c116
> > < * as NO_SECURITY, otherwise its a fault
> > ---
> > > * as NO_SECURITY, otherwise its a fault
> > 144c144
> > < * To check a UsernameToken or to decrypt an encrypted
> message we need
> > ---
> > > * To check a UsernameToken or to decrypt an encrypted
> message we need
> > 153c153
> > < * Get and check the Signature specific parameters first
> because they
> > ---
> > > * Get and check the Signature specific parameters first
> because they
> > 159c159
> > < }
> > ---
> > > }
> > 180,186c180,187
> > < SOAPPart sPart = (org.apache.axis.SOAPPart)
> sm.getSOAPPart();
> > <
> > < ByteArrayOutputStream os = new ByteArrayOutputStream();
> > < XMLUtils.outputDOM(doc, os, true);
> > < String osStr = os.toString();
> > < if (doDebug) {
> > < log.debug(osStr);
> > ---
> > > try {
> > > org.apache.axis.Message m =
> (org.apache.axis.Message)AxisUtil.toSOAPMessage(doc);
> > > mc.setCurrentMessage(m);
> > > }
> > > catch (Exception e) {
> > > throw new AxisFault(
> > > "WSDoAllReceiver: security processing
> failed",
> > > e);
> > 188d188
> > < sPart.setCurrentMessage(osStr, SOAPPart.FORM_STRING);
> > 190c190
> > < /*
> > ---
> > > /*
> > 193c193
> > <
> > ---
> > >
> > 226,227c226,227
> > < }
> > <
> > ---
> > > }
> > >
> > 248c248
> > <
> > ---
> > >
> > 269c269
> > <
> > ---
> > >
> > 272c272
> > < /* There are currently no other signature
> parameters that
> need to be handled
> > ---
> > > /* There are currently no other signature
> parameters that
> need to be handled
> > 277c277
> > <
> > ---
> > >
> > 281c281
> > < */
> > ---
> > > */
> > 285c285
> > < /* There are currently no other decryption
> parameters that
> need to be handled
> > ---
> > > /* There are currently no other decryption
> parameters that
> need to be handled
> > Index: org/apache/ws/axis/security/WSDoAllSender.java
> > ===================================================================
> > RCS file:
> /home/cvspublic/ws-fx/wss4j/src/org/apache/ws/axis/security/WS
> DoAllSender.ja
> va,v
> > retrieving revision 1.3
> > diff -r1.3 WSDoAllSender.java
> > 66c66
> > <
> > ---
> > >
> > 68c68
> > <
> > ---
> > >
> > 89c89
> > < *
> > ---
> > > *
> > 91c91
> > < * @throws AxisFault
> > ---
> > > * @throws AxisFault
> > 134c134
> > < * Now we perform some set-up for UsernameToken and
> Signature
> > ---
> > > * Now we perform some set-up for UsernameToken and
> Signature
> > 154,155c154,155
> > < *
> > < * This forces Axis to serialize the SOAP request into
> FORM_STRING.
> > ---
> > > *
> > > * This forces Axis to serialize the SOAP request into
> FORM_STRING.
> > 157,158c157,158
> > < *
> > < * During the FORM_STRING serialization Axis performs
> multi-ref of
> > ---
> > > *
> > > * During the FORM_STRING serialization Axis performs
> multi-ref of
> > 161c161
> > < * the complete and final SOAP request as Axis
> would send it
> over
> > ---
> > > * the complete and final SOAP request as Axis
> would send it
> over
> > 164,165c164,165
> > < *
> > < * Now we can perform our security operations on this
> request.
> > ---
> > > *
> > > * Now we can perform our security operations on this
> request.
> > 172c172
> > < * is a chained handler.
> > ---
> > > * is a chained handler.
> > 191c191
> > < * Now get the action specific parameters.
> > ---
> > > * Now get the action specific parameters.
> > 197c197
> > < * Get and check the Signature specific parameters first
> because they
> > ---
> > > * Get and check the Signature specific parameters first
> because they
> > 269c269
> > < /*
> > ---
> > > /*
> > 271c271
> > <
> > ---
> > >
> > 326c326
> > <
> > ---
> > >
> > 328,329c328,329
> > < * If required convert the resulting document
> into a message
> first.
> > < * The outputDOM() method performs the
> necessary c14n call.
> After
> > ---
> > > * If required convert the resulting document
> into a message
> first.
> > > * The outputDOM() method performs the
> necessary c14n call.
> After
> > 331c331
> > < *
> > ---
> > > *
> > 333c333
> > < *
> > ---
> > > *
> > 339,341c339,341
> > < *
> > < * If noSerialization is false, this handler
> shall be the
> last
> > < * (or only) one in a handler chain.
> > ---
> > > *
> > > * If noSerialization is false, this handler
> shall be the
> last
> > > * (or only) one in a handler chain.
> > 344,345c344,345
> > < * and performs additional security processing steps.
> > < *
> > ---
> > > * and performs additional security processing steps.
> > > *
> > 350,354c350,357
> > < ByteArrayOutputStream os = new
> ByteArrayOutputStream();
> > < XMLUtils.outputDOM(doc, os, true);
> > < String osStr = os.toString();
> > < if (doDebug) {
> > < log.debug(osStr);
> >
> === message truncated ===
>
>
> =====
> Davanum Srinivas - http://webservices.apache.org/~dims/
>
>