Hi Ruchith,

I see. My comments below. 

George

-----Original Message-----
From: Ruchith Fernando [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 1:22 AM
To: axis-user@ws.apache.org
Subject: Re: rahas

>>On 12/7/06, George Stanchev <[EMAIL PROTECTED]> wrote:
>>
>> Is there a reason rahas is a module at all? In previous builds rahas 
>> was a service (aar), which i thought makes more sense - after all, it

>> has a service functionality in it, and if someone wants to extend it,

>> why do they have to define a dummy service (as in the test cases)
just 
>> to serve a RST.

> The main purpose of the rahas.mar is to enable STS functionality on a
service
> to support WS-SecureConversation scenarios. In these scenario's the
service 
> is expected to issue and cancel SecurityContextTokens.

I see. But is there any reason the aar was removed from the build?
And speaking of the aar, I could not make it run under tomcat. It
kept bombing out when trying to load its configuration settings.
I might try to play with it again later on, but meanwhile, have you
been successfully able to drop the aar in tomcat and get a RSTR?

>> Speaking of the test cases in integration, they only run under the 
>> simple HTTP server that comes with axis2.
>> In order to run them under tomcat for example, several changes need
to 
>> be applied-the TestClient.java needs to be modified to put proper 
>> addressing namespace in the RST mssage - it uses 
>> AddressingConstants.Submission.WSA_NAMESPACE when it should use 
>> AddressingConstants.Final.WSA_NAMESPACE.
>> Unless there is a way to configure axis2 servlet which namespace to 
>> recognize.

> hmm ... I thought axis2 addressing module can handle any addressing 
> version in incoming messages.

May be there is some option I am missing. In the RahasData constructor
the addressing namespace is pulled from the message context:

       this.addressingNs = (String) this.inMessageContext
                .getProperty(AddressingConstants.WS_ADDRESSING_VERSION);

and that is later used in RahasData.processAppliesTo() to extract the 
address element from the epr element. If the message context doesn't 
have addressing headers in it, then it uses the epr to determine
addressing version (as a comment in RahasData, line 174-175 suggests).
In the tests, addressing is not used and therefore addressing is only
present in epr element and things work. But with addressing enabled,
it uses headers with different version and due to the namespace mismatch
rahas cannot extract the epr element.

The epr addressing namespace doesn't have to match the message namespace
does it? 

>> Is there any plan to finish the trust2 model in wss4j sandbox?
>> It would be nice to have some real api for wst ;-)

> I'm not sure about the trust2 stuff in wss4j ... but you are welcome 
> to suggest any improvements/patches to rahas ... I'll be glad to try 
> to implement/apply them.

Googling around, I found an old thread, where you say that the sandbox 
folder in wss4j contains DOM-based trust implementation and trust2
is a rework but hasn't been finished yet. It looks like it was a good
start.

For example:

http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/s
andbox/security/trust/message/token/

In the long run I like having separate (reworked) trust client API and
STS provider. Speaking of which, how about splitting the issuers in
2 parts - issuer and identity provider. The issuer knows how to issue
different tokens as it is now - SAML issuer, UsernameToken issuer, etc.
The IdP provides the subjects identity information which the issuer then
packages into a token. This way, if users want to extend the STS (to
extract subject attributes from LDAP for example) all they have to do
is hook their own IdP.

George 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. Any unauthorized review, use, disclosure or distribution is 
prohibited. If you are not the intended recipient, please contact the sender by 
reply e-mail and destroy all copies of the original message.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to