Hi there, I would like to propose to add a branch (well, a namespace) to the sources containing some classes to facilitate adding WSS features to the axis-SOAP-engine. The classes i wrote, i wrote using apache xml security, so maybe i thought it would be nice to add them either to the official source or to the samples.
I have the following use cases completed: - signing of requests - signing of responses (both cases configurable if a JKS keystore or a PKCS12-container holds the keys - it is certainly possible to implement a wider variety here!) - simple verification of signed requests (actually this is pretty much the same as the axis sample) - simple verification of signed responses (actually this is pretty much the same as the axis sample) - configurable verification of requests/responses - must the request/response be signed? - must the certificate be trusted? - must the certificate contain a CRLDP? - must the CRL be accessible? - ... this can certainly be extended with configuration options for a finer grained policy. The last variant is depending on the IAIK crypto provider (because of its inbuilt support for easily retrieving and checking of CRLs) The Encryption support currently is being tested. There is only one use case as of yet: - responses to signed requests are encrypted using the public key found in the certificate, nodes to encrypt are selected based on xpath expressions specified in the server-config.wsdd. Do you think, this could be an useful extension of project xml-security? I am a little hesitant, because it hinges on two dependencies: axis and xml-security - do you think it would be better off below axis? Juergen Key
