Kohsuke Kawaguchi wrote:
> I added Header.getAttribute() as requested by the security team. Venu
> said he needed to use it to access attributes like wsu:Id.
>
> Since this can be used to implement methods like getRole(), isRelay(),
> and so on, I added AbstractHeaderImpl that does just that. For most of
> the outbound messages, those methods will never be invoked, so it makes
> sense for messages like JAXBMessage and SourceMessage to use this to
> reduce the code size.
>
> I left StreamMessage as-is, since for this class it's almost guaranteed
> that the isMustUnderstand method and getRole() will be invoked. It will
> be better to scan the attributes once to pick up those messages, as
> opposed to scan Attributes twice to find them.
>
> I couldn't fix SourceMessage quickly (and I think it needs to be changed
> anyway ---- see my other e-mail), so I left a dummy implementation there
> just to make it compile.
>
Thinking about this a bit more i am not sure it is strictly required.
In general i presume that verifying a signature will only be performed
on a stream or SAAJ-based message. And for the latter case the
SAAJ-based message will have been created (because of policy) so that
the security pipe will obtain the whole SOAPMessage from the message,
and thus will not use such a method on header.
In this respect it easy for the header implementation and security to
use the XMLStreamReader and nothing extra needs to be done with any
implementations.
XMLStreamReader reader = header.readHeader();
reader.getAttributeValue(
"
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
"Id");
I suppose having such a method is mildly more efficient since an
XMLStreamReader instance does not need to be retained. e.g. this:
String id = header.getAttributeValue(
"
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
"Id");
if (id is referenced) {
header.writeTo(canonicalXMLWriter);
verify signature
}
compared to:
XMLStreamReader reader = header.readHeader();
String id = reader.getAttributeValue(
"
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
"Id");
if (id is referenced) {
header.writeTo(canonicalXMLWriter);
verify signature
}
header.getAttributeValue could be implemented using the XMLStreamReader
internally if necessary.
We also need similar functionality on Message. The security pipe needs to:
- get the attributes on the SOAP body; and
- serialize out the SOAP body and payload canonically.
So we would need:
String getAttributeValue(String nsUri, String localName);
or:
XMLStreamReader readSoapBodyAndPayload();
In addition to:
void writeSoapBodyPayloadTo(XMLStreamWriter sw)
Paul.
--
| ? + ? = To question
----------------\
Paul Sandoz
x38109
+33-4-76188109