axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Geuer-Pollmann <maill...@nue.et-inf.uni-siegen.de>
Subject Re: Axis and security (was: Forrest Layout 1.4)
Date Mon, 07 Jan 2002 15:33:04 GMT
Hi Davanum,

I implemented the "XML Signature" spec [1] which is now available under 
[2]. The distribution contains some examples how XML Signature can be 
created and verified. These are stand-alone-examples which create a DOM 
structure, sign it and write it to a file or verify an existing Signature. 
Well, these examples are quite nice to demonstrate how signatures are 
created and verified, but I wanted to add code on how a SOAP message can be 
signed (at the client) and verified (at the server's side). The "SOAP 
Security Extensions: Digital Signature" [3] decribe how XML Signatures are 
'embedded' into a SOAP message.

Well, I'm not a SOAP guru and I don't want to spend weeks installing Tomcat 
and learning how to create SOAP messages. It would be nice to get a small 
'stand-alone-client' and possibly (like Sam showed) a server which gives me 
access to the Message: The client creates a request, and before sending 
this request, I can sign it and put the Signature into the Envelope. The 
server side the same: The server get's a request and before 
processing/dispatching it, I can verify whether the Signature is valid (for 
demonstration purposes using a sample certificate).

A second problem was: Should I provide such an example for "Apache SOAP" or 
"Apache AXIS"?

Maybe this gives an idea about it. BTW; if you wanna see how such an 
example could look like: [4]

Regards,
Christian

[1] http://www.w3.org/TR/xmldsig-core/
[2] http://xml.apache.org/security/index.html
[3] http://www.w3.org/TR/SOAP-dsig/
[4] 
http://cvs.apache.org/viewcvs.cgi/xml-security/src_samples/org/apache/xml/s
ecurity/samples/signature/CreateSignature.java

--On Montag, 7. Januar 2002 07:19 -0800 Davanum Srinivas <dims@yahoo.com> 
wrote:

> Can you elaborate a bit more on your thoughts? An overview of how you
> think we can make SOAP more secure using xml-security...This will help
> generate more ideas.
>
> Thanks,
> dims
>
> --- Sam Ruby <rubys@us.ibm.com> wrote:
>> Note: I'm cross posting to Axis dev.  Please continue the discussion
>> there.
>>
>> Christian Geuer-Pollmann wrote:
>> >
>> > I'm not an Apache SOAP/AXIS user, so it was hard for me to play around
>> > with these tools. I asked soap-user and soap-dev how I can directly
>> > access the soap message as a DOM tree to add a SOAP-SECURITY
>> > signature. Unfortunately no response. I want to add an example to
>> > xml-security how a SOAP message can be signed and this signature can
>> > be verified according to [1]. If there is someone out there who can
>> > show me how to create a simple SOAP msg using AXIS and how I can
>> > modify the resulting DOM tree, I'll provide this example. The only
>> > thing that stopped me was installing tomcat and all these things.


Mime
View raw message