perfsonar-dev - An important problem with the Axis library
Subject: perfsonar development work
List archive
- From: Cándido Rodríguez Montes <>
- To: Nicolas Simar <>
- Cc:
- Subject: An important problem with the Axis library
- Date: Mon, 26 Nov 2007 23:13:38 +0100
| Hi Nicolas and others, I've spent the last two weeks in trying to find a new problem that I got in the AS with the last update of eduGAIN: this doesn't validate the signature of any security token based on SAML assertion. I couldn't understand this new problem because I was using a method which validates them, but their developers have deprecated it (because it wasn't okay) and they've developed another one which doesn't validate the XML signature. I wasn't really sure what was the problem or how to fix it, but I've read carefully the source code of xml-sec, wss4j, opensaml1 and axis libraries (yep, I almost became crazy...) so I could debug step-by-step how is the signature created by wss4j and how is it validated by opensaml1. I though that it was another problem with OpenSAML and its requirement of using DOM v3 and there was some type of conflict with Axis which uses DOM v2. But my surprise is that the problem is due to Axis 1.4 implementation which has the following bug opened since the last year: [1] Axis modifies SOAP request making digital signature invalid. Also, you can read a thread in their mailing list about this problem [2]. I've sent some mails to Axis Users, Axis Devs, OpenSAML1 users and WSS4J devs requesting more information about this problem but I haven't received any response. However, I have a friend working on XML-SEC library in Apache Foundation and he told me that there is no solution available right now :( With X.509-based security tokens we're lucky, because Axis doesn't modify at all the XML message but for SAML-based one it's impossible (for me) to find a way to validate it. So, I'm not an expert on Axis, so maybe, someone could find out a solution. I don't know if I've explained this problem very well, but I can try it again if you need another (and better) explanation :-) However, I'm studying the Web Service Security standard so I'm trying to find out a temporary way to send SAML-based security tokens while we discuss in this mailing list this problem and its consequences. Good night! [2] http://marc.info/?t=109880676200004&r=1&w=2 -- Cándido Rodríguez Montes E-mail: Red.ES/RedIRIS Tel:+34 955 05 66 13 Edificio CICA Avenida Reina Mercedes, s/n 41012 Sevilla SPAIN |
- An important problem with the Axis library, Cándido Rodríguez Montes, 11/26/2007
- Re: [pS-dev] An important problem with the Axis library, Nina Jeliazkova, 11/27/2007
Archive powered by MHonArc 2.6.16.