You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Davanum Srinivas <da...@gmail.com> on 2004/05/25 20:58:41 UTC
Re: AW: [jira] Updated: (WSFX-8) Suggestion for a more flexible handl ing of UsernameTokens
I agree with Werner on this.
thanks,
dims
On Tue, 25 May 2004 08:31:24 +0200, Dittmann Werner
<we...@siemens.com> wrote:
>
> Christof, Dims, all,
>
> WSSecurityEngine handles/verfies the SOAP messages according
> to the OASIS WSS specifications.
>
> As I understand it, this patche removes the UsernameToken
> handling from WSSecurityEngine and moves it into Axis handler
> space. This contradicts the idea of having an independant
> WSS library that handles WSS compliant SOAP messages. The WSS4J
> library is usable for other implementations as well,
> not only for Axis handlers. The Axis handlers that are delivered
> with WSS4J are just one implementation that uses the WSS4J functions.
>
> This idea also breaks the interface contract of WSSecurityEngine
> because it does not verfiy the received message and reports
> (via exception) failures.
>
> A better idea would be to have (optional) plugins inside the
> WSSecurityEngine.handleUsernameToken() and
> WSSAddUsernameToken.build() that deal with specific elements
> inside USernameToken. Changes must not break the interface contract
> in any way.
>
> Regards,
> Werner
>
> > -----Ursprüngliche Nachricht-----
> > Von: jira@apache.org [mailto:jira@apache.org]
> > Gesendet: Montag, 24. Mai 2004 15:48
> > An: fx-dev@ws.apache.org
> > Betreff: [jira] Updated: (WSFX-8) Suggestion for a more
> > flexible handling of UsernameTokens
> >
> >
> > The following issue has been updated:
> >
> > Updater: Christof Soehngen (mailto:christof.soehngen@syracom.de)
> > Date: Mon, 24 May 2004 6:46 AM
> > Changes:
> > Attachment changed to WSDoAllReceiver.java.patch
> >
> > ---------------------------------------------------------------------
> > For a full history of the issue, see:
> >
> > http://issues.apache.org/jira/browse/WSFX-8?page=history
> >
> > ---------------------------------------------------------------------
> > View the issue:
> > http://issues.apache.org/jira/browse/WSFX-8
> >
> > Here is an overview of the issue:
> > ---------------------------------------------------------------------
> > Key: WSFX-8
> > Summary: Suggestion for a more flexible handling of UsernameTokens
> > Type: Improvement
> >
> > Status: Unassigned
> > Priority: Major
> >
> > Project: WSFX
> > Components:
> > WSS4J
> >
> > Assignee:
> > Reporter: Christof Soehngen
> >
> > Created: Mon, 24 May 2004 6:45 AM
> > Updated: Mon, 24 May 2004 6:46 AM
> > Environment: CVS snapshot from 2004-05-24
> >
> > Description:
> > I suggest improving UsernameToken handling to allow the following:
> > - hook in WSDoAllReceiver for custom validation algorithms
> > - conserve custom child-elements of the UsernameToken and
> > pass them to the validation algorithm
> >
> > Problems with the existing code are:
> > - validation takes place WSSecurityEngine
> > - additional custom elements of the UsernameToken are discarded
> >
> > I therefore modified the following classes:
> > - org.apache.ws.security.WSSecurityEngine.java:
> > * Remove method handleUsernameToken()
> > * Modify method processSecurityHeader (extraction of
> > UsernameToken)
> > - org.apache.ws.security.WSSecurityEngineResult.java:
> > * Add attribute ut
> > * Add constructor with username token
> > * Add method getUsernameToken
> > - org.apache.ws.security.message.WSAddUsernameToken.java:
> > * Add method addCustomElement()
> > - org.apache.ws.security.message.token.UsernameToken.java:
> > * Modify constructor: Read custom elements from XML
> > * Add attribute customElements
> > * Add method getCustomElements()
> > * Add method setCustomElements()
> > - org.apache.ws.axis.security.WSDoAllReceiver.java:
> > * Modify method invoke: call hook for validation of
> > UsernameToken (verifyUsernameToken())
> > * Add method verifyUsernameToken()
> >
> > Any suggestions are welcome,
> > Christof
> >
> >
> > ---------------------------------------------------------------------
> > JIRA INFORMATION:
> > This message is automatically generated by JIRA.
> >
> > If you think it was sent incorrectly contact one of the
> > administrators:
> > http://issues.apache.org/jira/secure/Administrators.jspa
> >
> > If you want more information on JIRA, or have a bug to report see:
> > http://www.atlassian.com/software/jira
> >
>