Author: chatra Date: Fri Apr 21 09:23:52 2006 New Revision: 395932 URL: http://svn.apache.org/viewcvs?rev=395932&view=rev Log: fixed jira issue AXIS2-599 and updated features for 1.0 Modified: webservices/axis2/trunk/java/xdocs/latest/security-module.html webservices/axis2/trunk/java/xdocs/latest/userguide1.html Modified: webservices/axis2/trunk/java/xdocs/latest/security-module.html URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/latest/security-module.html?rev=395932&r1=395931&r2=395932&view=diff ============================================================================== --- webservices/axis2/trunk/java/xdocs/latest/security-module.html (original) +++ webservices/axis2/trunk/java/xdocs/latest/security-module.html Fri Apr 21 09:23:52 2006 @@ -1,211 +1,234 @@ -The Security Module + + + + The Security Module +

Securing SOAP Messages with WSS4J

-

Axis2 comes with a module based on WSS4J [1] to provide WS-Security features. This section - explains how to engage and configure the security module. Since the security module inserts - handlers in the system specific pre-dispatch phase, it must be engaged globally. But it is - possible to activate the security module for the inflow or the outflow when required by the - service or the clients.

- -

The security module (security.mar) is available in the axis2.war but it is not engaged by - default.

- -

First it should be engaged by inserting the following in the axis2.xml file.

-
-    <module ref="security"/>
-
- -

The web admin interface can be used when Axis2 is deployed in a servlet container such as Apache - Tomcat.

- -

At the server it is possible to provide security on a per service basis. The configuration - parameters should be set in the service.xml file of the service. The client side config - parameters should be set in the axis2.xml of the client's Axis2 repository.

+

Axis2 comes with a module based on WSS4J [1] to provide WS-Security +features. This section explains how to engage and configure the security +module. Since the security module inserts handlers in the system specific +pre-dispatch phase, it must be engaged globally. But it is possible to +activate the security module for the inflow or the outflow when required by +the service or the clients.

+ +

The security module (security.mar) is available with the Axis2 release.

+ +

First it should be engaged by inserting the following in the axis2.xml +file.

+
    <module ref="security"/>
+ +

The web admin interface can be used when Axis2 is deployed in a servlet +container such as Apache Tomcat.

+ +

At the server it is possible to provide security on a per service basis. +The configuration parameters should be set in the service.xml file of the +service. The client side config parameters should be set in the axis2.xml of +the client's Axis2 repository.

The security module uses two parameters:

- The configuration that can go in each of these parameters are described below:

OutflowSecurity parameter

- This parameter is used to configure the outflow security handler. The outflow handler can be invoked more than once in the outflow one can provide configuration for each of these invocations. The 'action' element describes one of these configurations. Therefore the 'OutflowSecurity' parameter can contain more than one 'action' elements. The schema of this 'action' element is available here. -

An outflow configuration to add a timestamp, sing and encrypt - the message once, is shown in Example 1 and - Example 2 shows how to sign the message twice by chaining the outflow - handler (using two 'action' elements)

+ +

An outflow configuration to add a timestamp, sing and encrypt the message +once, is shown in Example 1 and Example +2 shows how to sign the message twice by chaining the outflow handler +(using two 'action' elements)

Following is a description of the elements that can go in an 'action' - element of the OutflowSecurity parameter

-
+element of the OutflowSecurity parameter

+
+ + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + +
ParameterDescriptionExampleParameterDescriptionExample
itemsSecurity actions for the inflowAdd a Timestamp, Sign the SOAP body and Encrypt the SOAP body
<items> - Timestamp Signature Encrypt</items>
itemsSecurity actions for the inflowAdd a Timestamp, Sign the SOAP body and Encrypt the SOAP body
+ <items> Timestamp Signature Encrypt</items>
userThe user's nameSet alias of the key to be used to sign
<user> bob</user>
userThe user's nameSet alias of the key to be used to sign
+ <user> bob</user>
passwordCallbackClassCallback class used to provide the password required to create the UsernameToken or to - sign the message<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass>passwordCallbackClassCallback class used to provide the password required to create the + UsernameToken or to sign the message<passwordCallbackClass> + org.apache.axis2.security.PWCallback</passwordCallbackClass>
signaturePropFileproperty file used to get the signature parameters such as crypto provider, keystore and - its passwordSet example.properties file as the signature property file
<signaturePropFile> - example.properties</signaturePropFile>
signaturePropFileproperty file used to get the signature parameters such as crypto + provider, keystore and its passwordSet example.properties file as the signature property file
+ <signaturePropFile> + example.properties</signaturePropFile>
signatureKeyIdentifierKey identifier to be used in referring the key in the signatureUse the serial number of the certificate
<signatureKeyIdentifier> IssuerSerial</signatureKeyIdentifier> -
signatureKeyIdentifierKey identifier to be used in referring the key in the signatureUse the serial number of the certificate
+ <signatureKeyIdentifier> + IssuerSerial</signatureKeyIdentifier>
encryptionKeyIdentifierKey identifier to be used in referring the key in encryptionUse the serial number of the certificate
<encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier> -
encryptionKeyIdentifierKey identifier to be used in referring the key in encryptionUse the serial number of the certificate
+ <encryptionKeyIdentifier>IssuerSerial</encryptionKeyIdentifier>
encryptionUserThe user's name for encryption.
<encryptionUser>alice</encryptionUser>
encryptionUserThe user's name for encryption.
+ <encryptionUser>alice</encryptionUser>
encryptionSymAlgorithmSymmetric algorithm to be used for encryptionUse AES-128
<encryptionSymAlgorithm> - http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
encryptionSymAlgorithmSymmetric algorithm to be used for encryptionUse AES-128
+ <encryptionSymAlgorithm> + http://www.w3.org/2001/04/xmlenc#aes128-cbc</encryptionSymAlgorithm>
encryptionKeyTransportAlgorithmKey encryption algorithmUse RSA-OAEP
<parameter name="encryptionSymAlgorithm"> - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>
encryptionKeyTransportAlgorithmKey encryption algorithmUse RSA-OAEP
+ <parameter name="encryptionSymAlgorithm"> + http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</parameter>
signaturePartsSign multiple parts in the SOAP messageSign Foo and Bar elements qualified by "http://app.ns/ns"
<signatureParts> - {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar </signatureParts> -
signaturePartsSign multiple parts in the SOAP messageSign Foo and Bar elements qualified by "http://app.ns/ns"
+ <signatureParts> + {Element}{http://app.ns/ns}Foo;{Element}{http://app.ns/ns}Bar + </signatureParts>
optimizePartsMTOM Optimize the elements specified by the XPath queryOptimize the CipherValue
<optimizeParts> - //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue </optimizeParts>
optimizePartsMTOM Optimize the elements specified by the XPath queryOptimize the CipherValue
+ <optimizeParts> + //xenc:EncryptedData/xenc:CipherData/xenc:CipherValue + </optimizeParts>
-
+
+

InflowSecurity parameter

-

This parameter is used to configure the inflow security handler. The 'action' element is used to - encapsulate the configuration elements here as well. The schema of the 'action' element is - available here. - Example 3 shows the configuration to decrypt, verify signature and validate - timestamp.

+

This parameter is used to configure the inflow security handler. The +'action' element is used to encapsulate the configuration elements here as +well. The schema of the 'action' element is available here. Example 3 shows the configuration to decrypt, verify +signature and validate timestamp.

+ + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + +
ParameterDescriptionExampleParameterDescriptionExample
itemsSecurity actions for the inflowfirst the incoming message should be decrypted and then the signatures should be - verified and should be checked for the availability of the Timestamp
<items> - Timestamp Signature Encrypt</items>
itemsSecurity actions for the inflowfirst the incoming message should be decrypted and then the + signatures should be verified and should be checked for the + availability of the Timestamp
+ <items> Timestamp Signature Encrypt</items>
passwordCallbackClassCallback class used to obtain password for decryption and UsernameToken - verification
<passwordCallbackClass> org.apache.axis2.security.PWCallback</passwordCallbackClass> -
passwordCallbackClassCallback class used to obtain password for decryption and + UsernameToken verification
+ <passwordCallbackClass> + org.apache.axis2.security.PWCallback</passwordCallbackClass>
signaturePropFileProperty file used for signature verification
<signaturePropFile> sig.properties</signaturePropFile>
signaturePropFileProperty file used for signature verification
+ <signaturePropFile> + sig.properties</signaturePropFile>
decryptionPropFileProperty file used for decryption
<decryptionPropFile> dec.properties</decryptionPropFile>
decryptionPropFileProperty file used for decryption
+ <decryptionPropFile> + dec.properties</decryptionPropFile>
-
+
+ -

Please note that the '.properties' files used in properties such as OutSignaturePropFile are the - same property files that are using in the WSS4J project. - Following shows the properties defined in a sample property file

- - -
-        org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+

Please note that the '.properties' files used in properties such as +OutSignaturePropFile are the same property files that are using in the WSS4J +project. Following shows the properties defined in a sample property file

+
        org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
         org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
         org.apache.ws.security.crypto.merlin.keystore.password=security
         org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
         org.apache.ws.security.crypto.merlin.alias.password=security
         org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
     
- - -org.apache.ws.security.crypto.provider defines the implementation of the -org.apache.ws.security.components.crypto.Crypto -interface to provide the crypto information required by WSS4J. The other properties defined are the -configuration -properties used by the implementation class (org.apache.ws.security.components.crypto.Merlin). +org.apache.ws.security.crypto.provider defines the implementation of +the org.apache.ws.security.components.crypto.Crypto interface to provide the +crypto information required by WSS4J. The other properties defined are the +configuration properties used by the implementation class +(org.apache.ws.security.components.crypto.Merlin).

References

1. Apache WSS4J

-
+
+

Examples

-

Example 1: An outflow configuration to add a timestamp, sing and encrypt - the message once

+

Example 1: An outflow configuration to add a timestamp, sing and +encrypt the message once

-

-

+

-

Example 2: An outflow configuration to sign the message twice and add a timestamp

+

Example 2: An outflow configuration to sign the message twice and +add a timestamp

-

-

+

-

Example 3: An inflow configuration to decrypt, verify signature and validate - timestamp

+

Example 3: An inflow configuration to decrypt, verify signature +and validate timestamp

-

-

- \ No newline at end of file +

+ + Modified: webservices/axis2/trunk/java/xdocs/latest/userguide1.html URL: http://svn.apache.org/viewcvs/webservices/axis2/trunk/java/xdocs/latest/userguide1.html?rev=395932&r1=395931&r2=395932&view=diff ============================================================================== --- webservices/axis2/trunk/java/xdocs/latest/userguide1.html (original) +++ webservices/axis2/trunk/java/xdocs/latest/userguide1.html Fri Apr 21 09:23:52 2006 @@ -135,60 +135,57 @@

Axis2 Complete Features List

    -
  1. AXIOM, an XML object model working on StAX (Streaming API for XML) parsing optimized for SOAP 1.1/1.2 Messages. This has complete XML infoset support.
  2. -
  3. Support for One-Way Messaging (In-Only) and Request Response Messaging (In-Out)
  4. -
  5. Module Architecture, mechanism to extend the SOAP Processing Model
  6. -
  7. Module version support , can have multiple versions of the same module and use them depending on the requirement.
  8. -
  9. Content hierarchy
  10. -
  11. Archive based deployment Model and Directory based deployment model
  12. -
  13. JWS like deployment (making Java class into Web service)
  14. -
  15. WSDL Code Generation Tool for Stub and skeletons
  16. -
  17. WS-Addressing, both the submission (2004/08) and final (2005/08) versions
  18. -
  19. WSS4J module for security
  20. -
  21. Improved and user friendly Client API
  22. -
  23. WSDL2Java and Java2WSDL
  24. -
  25. REST (REpresentational State Transfer) Support
  26. -
  27. Transports supports: HTTP, SMTP, TCP, JMS
  28. -
  29. Raw XML providers
  30. -
  31. Support for MTOM/ MIME/ SwA
  32. -
  33. SAAJ implementation
  34. -
  35. DOOM
  36. -
  37. Pack/Unpack capability for the generated code
  38. -
  39. Axis Data Binding - ADB (Framework and Schema Compiler)
  40. -
  41. Numerous bug fixes since last release
  42. -
  43. Transport framework improvements (ListenerManager)- New
  44. -
  45. AxisServlet auto start when application server get start up- New
  46. -
  47. Module dis-engagemnt support- New
  48. -
  49. Loading module (.mar) from classpath- New
  50. -
  51. Sessions scoping for Application, SOAP, Transport and Request levels-New
  52. -
+
  • AXIOM, an XML object model working on StAX (Streaming API for XML) + parsing optimized for SOAP 1.1/1.2 Messages. This has complete XML + infoset support.
  • +
  • Support for One-Way Messaging (In-Only) and Request Response Messaging + (In-Out).
  • +
  • Module Architecture, mechanism to extend the SOAP Processing model.
  • +
  • Module version support, can have multiple versions of the same module + and use them depending on the requirement.
  • +
  • Content hierarchy
  • +
  • Archive based deployment model and Directory based deployment model
  • +
  • JWS like deployment (making Java class into Web service)
  • +
  • WSDL Code Generation tool for stubs and skeletons
  • +
  • WS-Addressing, both the submission (2004/08) and final (2005/08) + versions
  • +
  • WSS4J module for security
  • +
  • Improved and user friendly Client API
  • +
  • WSDL2Java and Java2WSDL
  • +
  • REST (REpresentational State Transfer) Support
  • +
  • Transports supports: HTTP, SMTP, TCP, JMS
  • +
  • Raw XML providers
  • +
  • Support for MTOM/ MIME/ SwA
  • +
  • SAAJ implementation
  • +
  • DOOM (OM DOM implementation)
  • +
  • Pack/Unpack capability for the generated code
  • +
  • Axis Data Binding - ADB (Framework and Schema Compiler)
  • +
  • Transport framework improvements (ListenerManager)
  • +
  • Module disengagemnt support
  • +
  • Loading modules (.mar files) from classpath
  • +
  • Sessions scoping for Application, SOAP, Transport and Request + levels
  • +
  • Server side and client side Web service Policy support
  • +
  • ?wsdl and ?xsd support
  • +
  • Dynamic ServiceClient generation for a given WSDL and invoking the + corresponding service using generated client
  • +
  • WSDL fault handling (fault code generation)
  • +
  • SOAP 1.2 and HTTP binding generation (?wsdl)
  • +
  • Streaming Attachments support for MTOM (SOAP Message Transamission + Optimization Mechanism)
  • Experimental Features List

      -
    1. Server side & client side Web Service Policy support
    2. -
    3. ?wsdl and ?xsd support
    4. -
    5. Generating ServiceClient for a given WSDL and invoke the corresponding service using generated client.
    6. +
    7. URL based deployment mechanism (starting Axis with remote + repository)
    8. +
    9. Unexpanded war support (location of axis2.xml and repository can be + specified in web.xml )
    -

    Major Changes Since Last +

    Tools Included In This Release

    @@ -205,6 +202,19 @@ IDEA plugin-->

    Download above plugins

    + +

    What Still To Do?

    +

    See list of what we think needs to be done, and consider helping out if +you're interested and able!

    +
      +
    1. JAX-RPC 1.1 and/or JAX-WS compliance
    2. +
    3. SOAP Encoding
    4. +
    5. Binary serialization and de-serialization support
    6. +
    7. Resource framework implementation (WS-RF) and Enterprise web services + such as JSR 109 support
    8. +
    9. HTTP transport based on URL.openConnection (to be usable in Java Web + Start clients, because of authenticating proxies)
    10. +

    Previous | Next