axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Geuer-Pollmann <>
Subject Re: XML Security Job Offer: Axis Connector
Date Mon, 14 Jan 2002 14:47:20 GMT
Hi dims,

one thing about signed SOAP messages. The xml-security project allows you 
to sign and verify 'resources'. It allows to to request (after you called 
'verify()') to find out _what_ bytes have been signed. Now the problem (not 
a problem for unit testing but for people who really rely on that):

If you get a SOAP message with a Signature, you verify that the signature 
is valid and then you start processing, you shoot yourself into the knee 
because you did not check _what_ was signed. Imagine you want your server 
only to process messages whose complete Body has been signed by the client. 
Then you must check that the Body was signed and nothing unimportant just 
to create a valid Signature. Maybe the discussion on the XML Signature 
Mailing list clarifies this [1].

Note: This is OK for unit testing but for a real-world-Scenario, there must 
be more than simply XMLSIgnature.verify(). This 'more' can be

- is the URI of the signed Resource the Body and is there no transform 
which deleted 'bad' nodes from the document.
- Get the bytes from the Signature object and re-parse them into a new 
document and use THIS new document which contains the pure Body for further 
processing (this second option is - from my point of view - the better and 
more reliable one).



--On Montag, 14. Januar 2002 06:31 -0800 Davanum Srinivas <> 

> Thanks Ted...Checked in the Patches, please cross-check.
> Also,
> Can you please add a Client Side Handler? So that all messages are
> "automatically" signed? One Objective is to be able to run the whole
> automated test suite with this Handler switched on to see if anything
> breaks in either xml-security code or in xml-axis's code. This will also
> enable an Admin type person to ensure that SOAP messages are
> automatically signed as the Handlers can be specified as a setup task
> without needing to modify sources.

View raw message