axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James M Snell" <jasn...@us.ibm.com>
Subject RE: Today's IRC log (about security)
Date Wed, 09 Jan 2002 00:34:05 GMT
Comments inline...

These comments represent my personal opinion

- James M Snell/Fresno/IBM
    Web services architecture and strategy
    Internet Emerging Technologies, IBM
    544.9035 TIE line
    559.587.1233 Office
    919.486.0077 Voice Mail
    jasnell@us.ibm.com
=================================================================
Have I not commanded you?  Be strong and courageous.  Do not be terrified, 

do not be discouraged, for the Lord your God will be with you wherever you 
go.  
- Joshua 1:9

Please respond to axis-dev@xml.apache.org 
To:     axis-dev@xml.apache.org
cc: 
Subject:        RE: Today's IRC log (about security)





>As I was writing my note to Christian, I noticed that Dims is also having 
some serious fun :) with signing SOAP messages with Axis and xml-security. 
I'm not >sure who else is concerned about this, but would be very 
interesting to find out.
>
>It certainly does not look pretty with Axis right now, but before any 
modifications are done, I suggest to have a little conceptual discussion 
take place. To be >more specific:
>
>1. Should Axis implement SOAP-SEC or WS-Security or both? WS-Security 
seems to cover authentication/authorization as well as 
integrity/encryption. It also >seems more extensible.
>

Neither.  Axis should provide an easy means of manipulating envelopes and 
dispatching requests period.  SOAP-SEC and WS-Security are outside the 
scope of Axis. 

>2. This is not part of any JSR yet. It certainly eventually is going to 
be there. Insiders, any clue... 
>
>3. Axis can be extended with SOAPSecurityHeader derived from SOAPHeader 
with additional methods to take care of SOAP-SEC or WS-Security 
>semantics.
>

This should not be done as part of Axis proper. 

>4. XML-Security can be integrated into Axis to handle 
integrity/encryption. Handlers can be written for sign, verify, encrypt 
and decrypt. These handlers can be >deployed on clients and servers to 
facilitate processing. It would be up to the application to chain them 
properly.
>

Again, these should not be done as part of the core Axis deliverable.

>5. Handlers can be written to extract credentials form the SOAP message 
and do the auth check. Very much like HTTPAuthHandler does now, only that 
>identity comes from the message and not from HTTP session.
>
>To me it appears very important to get it right with Axis. It is all 
about convenience and interoperability. Very few people would be happy 
with purely >Axis-to-Axis operations or working with DOM elements to 
assemble message headers.
>

The most important thing to get right with Axis is the message 
manipulation API and message handling.  SOAP-SEC, WS-Security and XML 
Security are orthogonal, separate components that should not be part of 
the main Axis codebase.

>-- Igor Sedukhin .. (Igor.Sedukhin@ca.com) 
>-- (631) 342-4325 .. 1 CA Plaza, Islandia, NY 11788 


Mime
View raw message