You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Davanum Srinivas <da...@gmail.com> on 2004/05/25 20:58:41 UTC

Re: AW: [jira] Updated: (WSFX-8) Suggestion for a more flexible handl ing of UsernameTokens

I agree with Werner on this.

thanks,
dims

On Tue, 25 May 2004 08:31:24 +0200, Dittmann Werner
<we...@siemens.com> wrote:
> 
> Christof, Dims, all,
> 
> WSSecurityEngine handles/verfies the SOAP messages according
> to the OASIS WSS specifications.
> 
> As I understand it, this patche removes the UsernameToken
> handling from WSSecurityEngine and moves it into Axis handler
> space. This contradicts the idea of having an independant
> WSS library that handles WSS compliant SOAP messages. The WSS4J
> library is usable for other implementations as well,
> not only for Axis handlers. The Axis handlers that are delivered
> with WSS4J are just one implementation that uses the WSS4J functions.
> 
> This idea also breaks the interface contract of WSSecurityEngine
> because it does not verfiy the received message and reports
> (via exception) failures.
> 
> A better idea would be to have (optional) plugins inside the
> WSSecurityEngine.handleUsernameToken() and
> WSSAddUsernameToken.build() that deal with specific elements
> inside USernameToken. Changes must not break the interface contract
> in any way.
> 
> Regards,
> Werner
> 
> > -----Ursprüngliche Nachricht-----
> > Von: jira@apache.org [mailto:jira@apache.org]
> > Gesendet: Montag, 24. Mai 2004 15:48
> > An: fx-dev@ws.apache.org
> > Betreff: [jira] Updated: (WSFX-8) Suggestion for a more
> > flexible handling of UsernameTokens
> >
> >
> > The following issue has been updated:
> >
> >     Updater: Christof Soehngen (mailto:christof.soehngen@syracom.de)
> >        Date: Mon, 24 May 2004 6:46 AM
> >     Changes:
> >              Attachment changed to WSDoAllReceiver.java.patch
> >
> > ---------------------------------------------------------------------
> > For a full history of the issue, see:
> >
> >   http://issues.apache.org/jira/browse/WSFX-8?page=history
> >
> > ---------------------------------------------------------------------
> > View the issue:
> >   http://issues.apache.org/jira/browse/WSFX-8
> >
> > Here is an overview of the issue:
> > ---------------------------------------------------------------------
> >         Key: WSFX-8
> >     Summary: Suggestion for a more flexible handling of UsernameTokens
> >        Type: Improvement
> >
> >      Status: Unassigned
> >    Priority: Major
> >
> >     Project: WSFX
> >  Components:
> >              WSS4J
> >
> >    Assignee:
> >    Reporter: Christof Soehngen
> >
> >     Created: Mon, 24 May 2004 6:45 AM
> >     Updated: Mon, 24 May 2004 6:46 AM
> > Environment: CVS snapshot from 2004-05-24
> >
> > Description:
> > I suggest improving UsernameToken handling to allow the following:
> >  - hook in WSDoAllReceiver for custom validation algorithms
> >  - conserve custom child-elements of the UsernameToken and
> > pass them to the validation algorithm
> >
> > Problems with the existing code are:
> >  - validation takes place WSSecurityEngine
> >  - additional custom elements of the UsernameToken are discarded
> >
> > I therefore modified the following classes:
> >  - org.apache.ws.security.WSSecurityEngine.java:
> >       * Remove method handleUsernameToken()
> >       * Modify method processSecurityHeader (extraction of
> > UsernameToken)
> >  - org.apache.ws.security.WSSecurityEngineResult.java:
> >       * Add attribute ut
> >       * Add constructor with username token
> >       * Add method getUsernameToken
> >  - org.apache.ws.security.message.WSAddUsernameToken.java:
> >       * Add method addCustomElement()
> >  - org.apache.ws.security.message.token.UsernameToken.java:
> >       * Modify constructor: Read custom elements from XML
> >       * Add attribute customElements
> >       * Add method getCustomElements()
> >       * Add method setCustomElements()
> >  - org.apache.ws.axis.security.WSDoAllReceiver.java:
> >       * Modify method invoke: call hook for validation of
> > UsernameToken (verifyUsernameToken())
> >       * Add method verifyUsernameToken()
> >
> > Any suggestions are welcome,
> > Christof
> >
> >
> > ---------------------------------------------------------------------
> > JIRA INFORMATION:
> > This message is automatically generated by JIRA.
> >
> > If you think it was sent incorrectly contact one of the
> > administrators:
> >    http://issues.apache.org/jira/secure/Administrators.jspa
> >
> > If you want more information on JIRA, or have a bug to report see:
> >    http://www.atlassian.com/software/jira
> >
>