You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by George I Matkovits <ma...@uswest.net> on 2000/11/29 11:49:07 UTC
Re: Secure SoapV2A, SSL with cryptographic additions and UDDI compliant
Security Header Support.
Please find attached the latest Version of Secure SoapV2A source Release (as
promised). This is an extension of the 918 CVS tree. It was tested with Java2
STEXT V1.3 from Sun on both Windows2000 and Linux RG6.2. All the additional jar
requirements are documented within the the Java/INFO directory.
It supports:
1.) Fully configurable SSL (You can run it with or without keep-alive, the keep
alive caused some problems with earlier versions of Tomcat -pre V2.31B- and some
non-J2EE compliant Application Servers.)
2.) UDDI compliant Password based authentication with automated installation
scripts for Server ACL management. All other new features are fully
configurable. Standard V2_0 like operation is possible by configuring out the
various extensions in the Soap.properties files (One for each client and one for
the Server). A two line modification to the 'standard' applications is required
to support SSL and the encrypted password header. Two extended application are
added to the standard sample applications.
3.) DiffieHellman based symmetric triple DESade and DSA encryption support for
encrypting the Security Header based password and signing the Client's
Distinguished Name. Symmetric encryption is about 1000 times more efficient
then a PKI based solution.
4.) This set of cryptographic extensions will be able (eventually) to support
the upcoming Version3_0 Soap's one-to-many Processing Station concept's
authentication, element wise symmetric encryption and signature requirements.
Each station-client pair will need private DESade keys for full pair-wise
privacy. A standard PKI based encryption or SSL methodology can not support
this!
The documentation is rather limited. I will be posting this version against
today's CVS tree later this week, some more encryption documentation and a
'Theory of Operations' Release Note. Sorry for the delay but encryption support
was a very big deal. It almost killed me (-:
Regards - George
"Nelson, Christopher" wrote:
> I have this SSL build against the September/October CVS code. There has
> been some really useful enhancements since then, and I started the process
> of merging the SSL code with the current build. I am trying to do this in
> such a way that it can be built with or without SSL by ant depending on the
> presence of JSSE. This shouldn't be too bad, and I hope to have it done
> this week or early next. I'll post it when I have it.
>
> -----Original Message-----
> From: nathanwray [mailto:nwray@mich.com]
> Sent: Monday, November 27, 2000 1:27 PM
> To: soap-dev@xml.apache.org
> Subject: Re: SOAP and SSL
>
> I'll send you the code drop directly to avoid burdoning the list. The code
> requires a JSSE compliant library to support HTTPS (like Sun's), as well as
> the
> known requirements for SOAP 2.0. This code base forked from SOAP around
> September/October, so it may be worthwhile to diff it against the current
> 2.0
> CVS tree to pick up other improvements/fixes.
>
> -Nathan
>
> Matthew Geis wrote:
>
> > Nathan -- could you send me over your SSL soap release? I'm interested in
> > looking at it and in implementing it for a project, if it's ready. What
> are
> > the dependencies (JSSE?) ?
> >
> > Thanks in advance,
> > Matt
> >
> > -----Original Message-----
> > From: nathanwray [mailto:nwray@mich.com]
> > Sent: Monday, November 27, 2000 8:58 AM
> > To: soap-dev@xml.apache.org
> > Subject: Re: SOAP and SSL
> >
> > Chris, I have an SSL SOAP release that is derived from Georges codebase if
> > you're interested. The SSL changes are pretty trivial, it would be easy
> to
> > replicate them in the current codebase.
> >
> > Let me know if I can help.
> > -Nathan
> >
> > "Nelson, Christopher" wrote:
> >
> > > George, is there any possible we could just commit the SSL encryption
> code
> > > and defer authentication? SSL encryption is certainly very useful on
> it's
> > > own without cert authentication. I think quite a few people, myself
> > > included, are interested in seeing SSL soon and do not require the cert
> > > stuff. While I think the other things you are adding are very
> interesting
> > > and useful, I do not see a dependency here. Since the SSL code is not
> > over
> > > complex, I could perhaps rewrite it if you would prefer I not check in
> > your
> > > code. IMHO, we need SSL checked in ASAP.
> > >
> > > Thanks,
> > >
> > > -----Original Message-----
> > > From: Sanjiva Weerawarana [mailto:sanjiva@watson.ibm.com]
> > > Sent: Monday, November 27, 2000 11:24 AM
> > > To: soap-dev@xml.apache.org; matkovitsg@uswest.net
> > > Subject: Re: SOAP and SSL
> > >
> > > Hi George,
> > >
> > > Would it be possible to consider committing just the SSL part? I would
> > > really like to get a new release out and SSL support is important.
> > >
> > > If I remember right that only entailed client-side changes, right?
> > >
> > > Thanks,
> > >
> > > Sanjiva.
> > >
> > > ----- Original Message -----
> > > From: "George I Matkovits" <ma...@uswest.net>
> > > To: <so...@xml.apache.org>
> > > Sent: Monday, November 27, 2000 7:45 AM
> > > Subject: Re: SOAP and SSL
> > >
> > > > Sorry but not yet. I have been very busy doing the next thing with
> > > encryption and authentication support. I have the new code (which
> > > > is based on SSL) working and will post it later today when I add some
> > > documentation. I am using Diffie-Hellman PKI as the base for
> > > > symmetric tripleDES encryption and DSA signature generation. It took
> > much
> > > longer to design then I hoped for and I have not even logged
> > > > in to get my EMAIl for the last 3 weeks. If SSL code complexity is 1
> > then
> > > this is somewhere around 6 (I just deleted 20k lines of test
> > > > code on Sunday, the current Apache Soap is around 15k lines -). I
> > finally
> > > got it all working last Friday and I have been testing it on
> > > > NT and Linux. I noticed in my EMAIL that someone offered to check in
> my
> > > old
> > > SSL code. This version is much, much better and will allow
> > > > for the eventual signature and encryption support of individual XM
> > > Elements
> > > in a store-and-forward environment where SSL becomes
> > > > useless. I will need help in checking it in since it is lots of code.
> > > > Regards - George
> > > > p.s. I would very much like to get the opinion of some cryptographic
> > guru
> > > at
> > > IBM on the strength of the proposed algorithm
> > > >
> > > > Michael Paolini/Austin/IBM wrote:
> > > >
> > > > > Is the SSL work that was being done checked into the Apache SOAP
> base
> > at
> > > > > this point?
> > > > >
> > > > > Thanks,
> > > > > ~Mike
> > > > >
> > > >
> > > >
> > >
> >
> ----------------------------------------------------------------------------
> > > ------------------------------------------------------
> > > > >
> > > > > "A doctor can bury his mistakes, an architect can only advise his
> > client
> > > to
> > > > > plant vines...." -Frank Lloyd Wright
> > > > >
> > > > > Internet ID: paolini@us.ibm.com
> > > > > IBM Internal e-mail ID: PAOLINI/Austin/IBM
> > > >
> >
> > --
> > Nathan Wray
> > nwray@mich.com
> > --
> > If you lend someone $20, and never see that
> > person again, it was probably worth it.
>
> --
> Nathan Wray
> nwray@mich.com
> --
> If you lend someone $20, and never see that
> person again, it was probably worth it.
Re: Secure SoapV2A, SSL with cryptographic additions and UDDI compliant
Security Header Support.
Posted by George I Matkovits <ma...@uswest.net>.
IMHO the latest Java2 V1.3 environment from Sun fixed the some URL connection problems. I just posted SecureSoapV2A now, with authentication and DiffieHellman encryption support, it is based on the 918 CVS tree. I will be reposting later this week with today's CVS tree (I just got it) and will try to include
your suggested mods.
Thank you - George
nathanwray wrote:
>
> George, please note two suggestions I have based on my review of an older SecureSoap HTTPUtils. They greatly reduce the size and computational complexity of two of the methods in that class. This might be moot as there seems to be general concensus that URLConnection is not the right direction for SOAP.
>
>
> (1) The method getURLConnectionResponseSize:
>
> public static int getURLConnectionResponseSize(URLConnection urlConnectionObject)
> {
> int numHeaders=0;
> int headerCnt =0;
> int respContentLength =0;
> Vector headers = new Vector(6); //will grow dynamically
> Vector headerValues = new Vector(6);
> //extract response headers from ConnectionObject
> for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
> {
> String s = urlConnectionObject.getHeaderFieldKey(i);
> if ( s == null )
> {
> break;
> }
> headers.addElement(s);
> numHeaders++;
> }
> //create headerValues Vector
> for ( int ii = 1; ii <= numHeaders; ii++ )
> {
> String HdrFld = urlConnectionObject.getHeaderField(ii);
> headerValues.addElement(HdrFld);
> }
> int j = 0;
> Enumeration e = headers.elements();
> //extract response length
> while ( e.hasMoreElements() )
> {
> String hdr = (String)e.nextElement();
> String val = (String)headerValues.elementAt(j);
> if (hdr.equals("Content-Length"))
> {
> respContentLength = Integer.parseInt (val);
> }
> j++;
> headerCnt++;
> }
> return(respContentLength);
> }
>
> can be replaced with
>
> private static int getURLConnectionResponseSize (URLConnection urlConnectionObject)
> {
> return urlConnectionObject.getHeaderFieldInt("Content-Length", 0);
> }
>
>
> (2) The method getURLConnectionResponseHashTable
>
> public static Hashtable getURLConnectionResponseHashTable(URLConnection urlConnectionObject,boolean debug)
> {
> int numHeaders=0;
> int headerCnt =0;
> Vector headers = new Vector(3); //will grow dynamically
> Vector headerValues = new Vector(3);
> Hashtable RetHeaders = new Hashtable();
>
> for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
> {
> String s = urlConnectionObject.getHeaderFieldKey(i);
> if ( s == null )
> {
> break;
> }
> headers.addElement(s);
> numHeaders++;
> }
> for ( int ii = 1; ii <= numHeaders; ii++ )
> {
> String HdrFld = urlConnectionObject.getHeaderField(ii);
> headerValues.addElement(HdrFld);
> }
> int j = 0;
> Enumeration e = headers.elements();
> while ( e.hasMoreElements() )
> {
> String head = (String)e.nextElement();
> String val = (String)headerValues.elementAt(j);
> RetHeaders.put(val,head);
> if (debug)
> {
> System.err.println("RESPONSEHEADER" + j + ":" + " **TYPE: " + head + " **VAL: " + val);
> }
> j++;
> headerCnt++;
> }
> if (debug)
> {
> System.err.flush();
> }
> return(RetHeaders);
> }
>
> Can be replaced with
>
> private static Hashtable getURLConnectionResponseHashTable
> (URLConnection urlConnectionObject)
> {
> Hashtable headers = new Hashtable();
>
> String key;
> int i;
>
> for (i=1;
> ((key = urlConnectionObject.getHeaderFieldKey(i)) != null);
> i++)
> {
> headers.put(key, urlConnectionObject.getHeaderField(i));
> }
>
> return headers;
> }
>
>
>
> George I Matkovits wrote:
>
> > Please find attached the latest Version of Secure SoapV2A source Release (as
> > promised).
>
> --
> Nathan Wray
> nwray@mich.com
> --
> If you lend someone $20, and never see that
> person again, it was probably worth it.
>
Re: Secure SoapV2A, SSL with cryptographic additions and UDDI compliant
Security Header Support.
Posted by George I Matkovits <ma...@uswest.net>.
IMHO the latest Java2 V1.3 environment from Sun fixed the some URL connection problems. I just posted SecureSoapV2A now, with authentication and DiffieHellman encryption support, it is based on the 918 CVS tree. I will be reposting later this week with today's CVS tree (I just got it) and will try to include
your suggested mods.
Thank you - George
nathanwray wrote:
>
> George, please note two suggestions I have based on my review of an older SecureSoap HTTPUtils. They greatly reduce the size and computational complexity of two of the methods in that class. This might be moot as there seems to be general concensus that URLConnection is not the right direction for SOAP.
>
>
> (1) The method getURLConnectionResponseSize:
>
> public static int getURLConnectionResponseSize(URLConnection urlConnectionObject)
> {
> int numHeaders=0;
> int headerCnt =0;
> int respContentLength =0;
> Vector headers = new Vector(6); //will grow dynamically
> Vector headerValues = new Vector(6);
> //extract response headers from ConnectionObject
> for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
> {
> String s = urlConnectionObject.getHeaderFieldKey(i);
> if ( s == null )
> {
> break;
> }
> headers.addElement(s);
> numHeaders++;
> }
> //create headerValues Vector
> for ( int ii = 1; ii <= numHeaders; ii++ )
> {
> String HdrFld = urlConnectionObject.getHeaderField(ii);
> headerValues.addElement(HdrFld);
> }
> int j = 0;
> Enumeration e = headers.elements();
> //extract response length
> while ( e.hasMoreElements() )
> {
> String hdr = (String)e.nextElement();
> String val = (String)headerValues.elementAt(j);
> if (hdr.equals("Content-Length"))
> {
> respContentLength = Integer.parseInt (val);
> }
> j++;
> headerCnt++;
> }
> return(respContentLength);
> }
>
> can be replaced with
>
> private static int getURLConnectionResponseSize (URLConnection urlConnectionObject)
> {
> return urlConnectionObject.getHeaderFieldInt("Content-Length", 0);
> }
>
>
> (2) The method getURLConnectionResponseHashTable
>
> public static Hashtable getURLConnectionResponseHashTable(URLConnection urlConnectionObject,boolean debug)
> {
> int numHeaders=0;
> int headerCnt =0;
> Vector headers = new Vector(3); //will grow dynamically
> Vector headerValues = new Vector(3);
> Hashtable RetHeaders = new Hashtable();
>
> for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
> {
> String s = urlConnectionObject.getHeaderFieldKey(i);
> if ( s == null )
> {
> break;
> }
> headers.addElement(s);
> numHeaders++;
> }
> for ( int ii = 1; ii <= numHeaders; ii++ )
> {
> String HdrFld = urlConnectionObject.getHeaderField(ii);
> headerValues.addElement(HdrFld);
> }
> int j = 0;
> Enumeration e = headers.elements();
> while ( e.hasMoreElements() )
> {
> String head = (String)e.nextElement();
> String val = (String)headerValues.elementAt(j);
> RetHeaders.put(val,head);
> if (debug)
> {
> System.err.println("RESPONSEHEADER" + j + ":" + " **TYPE: " + head + " **VAL: " + val);
> }
> j++;
> headerCnt++;
> }
> if (debug)
> {
> System.err.flush();
> }
> return(RetHeaders);
> }
>
> Can be replaced with
>
> private static Hashtable getURLConnectionResponseHashTable
> (URLConnection urlConnectionObject)
> {
> Hashtable headers = new Hashtable();
>
> String key;
> int i;
>
> for (i=1;
> ((key = urlConnectionObject.getHeaderFieldKey(i)) != null);
> i++)
> {
> headers.put(key, urlConnectionObject.getHeaderField(i));
> }
>
> return headers;
> }
>
>
>
> George I Matkovits wrote:
>
> > Please find attached the latest Version of Secure SoapV2A source Release (as
> > promised).
>
> --
> Nathan Wray
> nwray@mich.com
> --
> If you lend someone $20, and never see that
> person again, it was probably worth it.
>
Re: Secure SoapV2A, SSL with cryptographic additions and UDDI compliant
Security Header Support.
Posted by nathanwray <nw...@mich.com>.
George, please note two suggestions I have based on my review of an older SecureSoap HTTPUtils. They greatly reduce the size and computational complexity of two of the methods in that class. This
might be moot as there seems to be general concensus that URLConnection is not the right direction for SOAP.
(1) The method getURLConnectionResponseSize:
public static int getURLConnectionResponseSize(URLConnection urlConnectionObject)
{
int numHeaders=0;
int headerCnt =0;
int respContentLength =0;
Vector headers = new Vector(6); //will grow dynamically
Vector headerValues = new Vector(6);
//extract response headers from ConnectionObject
for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
{
String s = urlConnectionObject.getHeaderFieldKey(i);
if ( s == null )
{
break;
}
headers.addElement(s);
numHeaders++;
}
//create headerValues Vector
for ( int ii = 1; ii <= numHeaders; ii++ )
{
String HdrFld = urlConnectionObject.getHeaderField(ii);
headerValues.addElement(HdrFld);
}
int j = 0;
Enumeration e = headers.elements();
//extract response length
while ( e.hasMoreElements() )
{
String hdr = (String)e.nextElement();
String val = (String)headerValues.elementAt(j);
if (hdr.equals("Content-Length"))
{
respContentLength = Integer.parseInt (val);
}
j++;
headerCnt++;
}
return(respContentLength);
}
can be replaced with
private static int getURLConnectionResponseSize (URLConnection urlConnectionObject)
{
return urlConnectionObject.getHeaderFieldInt("Content-Length", 0);
}
(2) The method getURLConnectionResponseHashTable
public static Hashtable getURLConnectionResponseHashTable(URLConnection urlConnectionObject,boolean debug)
{
int numHeaders=0;
int headerCnt =0;
Vector headers = new Vector(3); //will grow dynamically
Vector headerValues = new Vector(3);
Hashtable RetHeaders = new Hashtable();
for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
{
String s = urlConnectionObject.getHeaderFieldKey(i);
if ( s == null )
{
break;
}
headers.addElement(s);
numHeaders++;
}
for ( int ii = 1; ii <= numHeaders; ii++ )
{
String HdrFld = urlConnectionObject.getHeaderField(ii);
headerValues.addElement(HdrFld);
}
int j = 0;
Enumeration e = headers.elements();
while ( e.hasMoreElements() )
{
String head = (String)e.nextElement();
String val = (String)headerValues.elementAt(j);
RetHeaders.put(val,head);
if (debug)
{
System.err.println("RESPONSEHEADER" + j + ":" + " **TYPE: " + head + " **VAL: " + val);
}
j++;
headerCnt++;
}
if (debug)
{
System.err.flush();
}
return(RetHeaders);
}
Can be replaced with
private static Hashtable getURLConnectionResponseHashTable
(URLConnection urlConnectionObject)
{
Hashtable headers = new Hashtable();
String key;
int i;
for (i=1;
((key = urlConnectionObject.getHeaderFieldKey(i)) != null);
i++)
{
headers.put(key, urlConnectionObject.getHeaderField(i));
}
return headers;
}
George I Matkovits wrote:
> Please find attached the latest Version of Secure SoapV2A source Release (as
> promised).
--
Nathan Wray
nwray@mich.com
--
If you lend someone $20, and never see that
person again, it was probably worth it.
Re: Secure SoapV2A, SSL with cryptographic additions and UDDI compliant
Security Header Support.
Posted by nathanwray <nw...@mich.com>.
George, please note two suggestions I have based on my review of an older SecureSoap HTTPUtils. They greatly reduce the size and computational complexity of two of the methods in that class. This
might be moot as there seems to be general concensus that URLConnection is not the right direction for SOAP.
(1) The method getURLConnectionResponseSize:
public static int getURLConnectionResponseSize(URLConnection urlConnectionObject)
{
int numHeaders=0;
int headerCnt =0;
int respContentLength =0;
Vector headers = new Vector(6); //will grow dynamically
Vector headerValues = new Vector(6);
//extract response headers from ConnectionObject
for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
{
String s = urlConnectionObject.getHeaderFieldKey(i);
if ( s == null )
{
break;
}
headers.addElement(s);
numHeaders++;
}
//create headerValues Vector
for ( int ii = 1; ii <= numHeaders; ii++ )
{
String HdrFld = urlConnectionObject.getHeaderField(ii);
headerValues.addElement(HdrFld);
}
int j = 0;
Enumeration e = headers.elements();
//extract response length
while ( e.hasMoreElements() )
{
String hdr = (String)e.nextElement();
String val = (String)headerValues.elementAt(j);
if (hdr.equals("Content-Length"))
{
respContentLength = Integer.parseInt (val);
}
j++;
headerCnt++;
}
return(respContentLength);
}
can be replaced with
private static int getURLConnectionResponseSize (URLConnection urlConnectionObject)
{
return urlConnectionObject.getHeaderFieldInt("Content-Length", 0);
}
(2) The method getURLConnectionResponseHashTable
public static Hashtable getURLConnectionResponseHashTable(URLConnection urlConnectionObject,boolean debug)
{
int numHeaders=0;
int headerCnt =0;
Vector headers = new Vector(3); //will grow dynamically
Vector headerValues = new Vector(3);
Hashtable RetHeaders = new Hashtable();
for ( int i = 1; i < HTTP_MAX_RESPONSE_HEADERS; i++ )
{
String s = urlConnectionObject.getHeaderFieldKey(i);
if ( s == null )
{
break;
}
headers.addElement(s);
numHeaders++;
}
for ( int ii = 1; ii <= numHeaders; ii++ )
{
String HdrFld = urlConnectionObject.getHeaderField(ii);
headerValues.addElement(HdrFld);
}
int j = 0;
Enumeration e = headers.elements();
while ( e.hasMoreElements() )
{
String head = (String)e.nextElement();
String val = (String)headerValues.elementAt(j);
RetHeaders.put(val,head);
if (debug)
{
System.err.println("RESPONSEHEADER" + j + ":" + " **TYPE: " + head + " **VAL: " + val);
}
j++;
headerCnt++;
}
if (debug)
{
System.err.flush();
}
return(RetHeaders);
}
Can be replaced with
private static Hashtable getURLConnectionResponseHashTable
(URLConnection urlConnectionObject)
{
Hashtable headers = new Hashtable();
String key;
int i;
for (i=1;
((key = urlConnectionObject.getHeaderFieldKey(i)) != null);
i++)
{
headers.put(key, urlConnectionObject.getHeaderField(i));
}
return headers;
}
George I Matkovits wrote:
> Please find attached the latest Version of Secure SoapV2A source Release (as
> promised).
--
Nathan Wray
nwray@mich.com
--
If you lend someone $20, and never see that
person again, it was probably worth it.