Skip to Content.
Sympa Menu

perfsonar-dev - Re: [pS-dev] An important problem with the Axis library

Subject: perfsonar development work

List archive

Re: [pS-dev] An important problem with the Axis library


Chronological Thread 
  • From: Nina Jeliazkova <>
  • To: Cándido Rodríguez Montes <>
  • Cc: Nicolas Simar <>,
  • Subject: Re: [pS-dev] An important problem with the Axis library
  • Date: Tue, 27 Nov 2007 12:25:36 +0200
Hi Candido,

Do you know if the problem occurs only with Axis1 or also Axis2 ?

With SAAJ (SOAP with Attachments API for Java) already integrated within Java 6, perhaps the time come to consider replacing Axis library. This could also solve the problem we have with Java Webstart and Java 1.6.

Regards,
Nina

Cándido Rodríguez Montes написа:
Hi Nicolas and others,
I've spent the last two weeks in trying to find a new problem that I got in the AS with the last update of eduGAIN: this doesn't validate the signature of any security token based on SAML assertion. I couldn't understand this new problem because I was using a method which validates them, but their developers have deprecated it (because it wasn't okay) and they've developed another one which doesn't validate the XML signature.
I wasn't really sure what was the problem or how to fix it, but I've read carefully the source code of xml-sec, wss4j, opensaml1 and axis libraries (yep, I almost became crazy...) so I could debug step-by-step how is the signature created by wss4j and how is it validated by opensaml1.
I though that it was another problem with OpenSAML and its requirement of using DOM v3 and there was some type of conflict with Axis which uses DOM v2. But my surprise is that the problem is due to Axis 1.4 implementation which has the following bug opened since the last year: [1] Axis modifies SOAP request making digital signature invalid. Also, you can read a thread in their mailing list about this problem [2]. I've sent some mails to Axis Users, Axis Devs, OpenSAML1 users and WSS4J devs requesting more information about this problem but I haven't received any response. However, I have a friend working on XML-SEC library in Apache Foundation and he told me that there is no solution available right now :(
With X.509-based security tokens we're lucky, because Axis doesn't modify at all the XML message but for SAML-based one it's impossible (for me) to find a way to validate it.
So, I'm not an expert on Axis, so maybe, someone could find out a solution. I don't know if I've explained this problem very well, but I can try it again if you need another (and better) explanation :-)
However, I'm studying the Web Service Security standard so I'm trying to find out a temporary way to send SAML-based security tokens while we discuss in this mailing list this problem and its consequences.

Good night!

[2] http://marc.info/?t=109880676200004&r=1&w=2
--
Cándido Rodríguez Montes E-mail: 
Red.ES/RedIRIS Tel:+34 955 05 66 13
Edificio CICA
Avenida Reina Mercedes, s/n
41012 Sevilla
SPAIN


 


-- 
---------------------------------
Dr. Nina Nikolova-Jeliazkova
Institute for Parallel Processing
Bulgarian Academy of Sciences
Acad. G. Bonchev St 25-A
1113 Sofia, Bulgaria
Tel: +359 886 802011
ICQ: 10705013
www: http://ambit.acad.bg/nina
---------------------------------
PGP Public Key
http://cert.acad.bg/pgp-keys/keys/nina-nikolova-0xEEABA669.asc
	8E99 8BAD D804 1A43 27B7  7F87 CF04 C7D1 EEAB A669
---------------------------------------------------------------

Archive powered by MHonArc 2.6.16.

Top of Page