ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Clement <nathan.a.clem...@hotmail.com>
Subject Re: WSS4J: Local id attribute and Signature References
Date Wed, 31 Jul 2013 09:48:11 GMT
Hi Colm,


I understand your reluctance because of the potential impact of such a change.  I’m using
WSS4J via Rampart so there’s not currently a way to supply a CallbackLookup.  If writing
a custom CallbackLookup is my only option, I’ll try submitting a patch to the Rampart devs
that allows the CallbackLookup to be set on the Axis2 MessageContext.


One argument in favour of making the change in WSS4J itself is that these attributes (local
id and xml:id) are mentioned as potential identifiers in section 4 of the WS-Security spec.
 It’s ambiguous to me whether support is required for these attributes, but having support
for them would make WSS4J a little more interoperable.


However, I don’t know whether the potential benefit (to me) outweighs any potential downsides
(to other users).


Thanks,


Nathan



Sent from Windows Mail



From: Colm O hEigeartaigh
Sent: ‎Wednesday‎, ‎31‎ ‎July‎ ‎2013 ‎6‎:‎10‎ ‎PM
To: dev@ws.apache.org





I'm reluctant to make this kind of change. Can you not just implement your own CallbackLookup
implementation to find Elements using these Ids?

Colm.




On Wed, Jul 31, 2013 at 12:05 AM, Nathan Clement <nathan.a.clement@hotmail.com> wrote:



Hi Colm,

Thanks for your help on this.  Would it also be possible to change WSSecurityUtil.findElementById
to add these 2 attributes as well?  I've added the following lines in my local copy of the
source:

                if ("".equals(attributeNS) || !id.equals(attributeNS)) {
                    attributeNS = se.getAttributeNS(null, "id");
                }
                if ("".equals(attributeNS) || !id.equals(attributeNS)) {
                    attributeNS = se.getAttributeNS(WSConstants.XML_NS, "id");
                }

Thanks,

Nathan




Date: Wed, 24 Jul 2013 12:03:14 +0100
Subject: Re: WSS4J: Local id attribute and Signature References
From: coheig@gmail.com
To: dev@ws.apache.org





> I implemented my own CallbackLookup to look up referenced elements by local id attribute.
 However, the referenced elements were still 
> not found by WSS4J because WSSecurityUtil. storeElementInContext does not know about
references using the local "id" attribute.  



Looks like you've found a bug :-) I've fixed this on trunk by adding a new method to CallbackLookup
to make the implementation responsible for setting the appropriate Id on the Context. On 1.6.x,
I'm going to also register "xml:id" and "id" in WSSecurityUtil.storeElementInContext, to cater
for your use-cases.




> Also, I noticed that the WSSecurityUtil.findElementById method looks for elements using
both the wsu:Id and local Id attributes (note the 
> capital I in Id). 

"Id" is used in the XML Digital Signature specification.

Colm.




On Wed, Jul 24, 2013 at 5:48 AM, Nathan Clement <nathan.a.clement@hotmail.com> wrote:



Hi Colm,

I implemented my own CallbackLookup to look up referenced elements by local id attribute.
 However, the referenced elements were still not found by WSS4J because WSSecurityUtil.storeElementInContext
does not know about references using the local "id" attribute.  I don't see any way that I
can override this behaviour - am I missing something?

Also, I noticed that the WSSecurityUtil.findElementById method looks for elements using both
the wsu:Id and local Id attributes (note the capital I in Id).  I couldn't see this attribute
anywhere in the WS-Security spec.  This seems to have been introduced in r785171.  Is this
attribute required by another spec?



Thanks,

Nathan




Date: Mon, 22 Jul 2013 16:11:13 +0100
Subject: Re: WSS4J: Local id attribute and Signature References
From: coheigea@apache.org
To: dev@ws.apache.org



Hi Nathan,


I guess this is the kind of scenario that you should plug in your own CallbackLookup implementation.
You can set one on the WSSecurityEngine implementation used as the starting point for WS-Security
processing.

Colm.




On Fri, Jul 19, 2013 at 1:37 AM, Nathan Clement <nathan.a.clement@hotmail.com> wrote:




Hi,

The WS-Security spec says in section 4 "ID References":

However, because some key schemas used by this specification don't allow attribute extensibility
(namely XML Signature and XML Encryption), this specification also allows use of their local
ID attributes in addition to the wsu:Id attribute and the xml:id attribute [XMLID]

We are attempting to process an AS4 message, and the AS4 spec (http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/AS4-profile/v1.0/os/AS4-profile-v1.0-os.html)
says in section 5.1.4 regarding the signature reference for the eb:Messaging header:

The eb:Messaging header SHOULD be referenced using the “id” attribute.

WSS4J doesn't seem to support looking up referenced elements by a local id attribute.  DOMCallbackLookup
calls WSSecurityUtil.findElementById which only looks for wsu:Id or Id (with a capital I)
with no namespace.

Should WSS4J allow lookup of a signed element by local id attribute?

i.e.

<eb:Messaging s:mustUnderstand="true" id="ebms_header" ...

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:Reference URI="#ebms_header">

Thanks,

Nathan




-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com




-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message