You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by "Faucher, Christian" <Ch...@axa-canada.com> on 2005/03/04 15:49:24 UTC

RE : Digital Signatures and Axis 1.2 RC2/RC3

Dims,


SOAP-DSIG (http://www.w3.org/TR/2001/NOTE-SOAP-dsig-20010206/) is completely outdated. OASIS WS-Security is the latest. Axis does not support it either though there are some samples in axis itself.
 
I see.  This is why we could not find any documentation after mid-2001!   :-)

When do you need a milestone/release candidate of WSS4J. let me know. It will have to be after Axis 1.2 is final of course (predicted to be released next weekend 9th/10th if there are no show stoppers)
 
Our project (two projects in fact) go live mid-june/july.  Both using Axis.  Both with reusing the same security components.
 
I must say that our first choice is to have the connections between remote (but well-identified) clients using HTTPS through Internet, with server and client certificates so that servers can confirm their identities.  
 
However, one of these "well-identified client" has a problem using client certificate, and is proposing a certicate contained in the SOAP header (the "alternate solution"), that we will have to validate, hence the question about digital signatures.
 
To answer your question about WSS4J, I would need it quite soon, say mid-april timeframe, so we have time to test the "alternate solution", if needs be.
    
BR,
 
Christian Faucher
 
 
 


thanks,
dims


On Thu, 3 Mar 2005 17:46:26 -0500, Faucher, Christian <Ch...@axa-canada.com> wrote:
> 
> 
> Hi all,
>  
> We've been investigating a way to certify that the client calling our
> server is really the expected client.  We came across digital
> signatures (SOAP-DSIG).
>  
> Is this a supported feature by Axis?  Or do I need to install WSSE as
> well?
> Is it supported as well by .NET in a compatible way?
>  
> In our case, the server-side processing could be an Handler
> intercepting the SOAP request, looking for SOAPSEC, get the signature
> and valid it.  But we would like to avoid as much as possible WSSE4J
> (time constraints, nothing personal...).
>  
> Christian Faucher
> 
> Concepteur/Designer
> AXA Canada Tech
> 2020, rue University, Bureau 600
> Montréal (Québec) H3A 2A5
> T: (514) 282-6817, x2943
> F:  (514) 282-6017
> Email: christian.faucher@axa-canada.com
>  
>  ________________________________
> 
> "Ce message est confidentiel, à l'usage exclusif du destinataire
> ci-dessus et son contenu ne représente en aucun cas un engagement de
> la part de AXA, sauf en cas de stipulation expresse et par écrit de la
> part de AXA. Toute publication, utilisation ou diffusion, même
> partielle, doit être autorisée préalablement. Si vous n'êtes pas
> destinataire de ce message, merci d'en avertir immédiatement
> l'expéditeur."
>
> "This e-mail message is confidential, for the exclusive use of the
> addressee and its contents shall not constitute a commitment by AXA,
> except as otherwise specifically provided in writing by AXA. Any
> unauthorized disclosure, use or dissemination, either whole or
> partial, is prohibited. If you are not the intended recipient of the
> message, please notify the sender immediately."


--
Davanum Srinivas - http://webservices.apache.org/~dims/