wss-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: SOAP Message Security 1.1 Implementation
- From: "Jason Smith" <jasonsmth987@gmail.com>
- To: wss-dev@lists.oasis-open.org
- Date: Thu, 25 Dec 2008 17:54:16 +0200
Hello,
I am implementing a parser according to the SOAP Message Security 1.1 Spec and I have some questions regarding some parts of the standard that look ambiguous to me:
- It looks like in order to implement SignatureConfirmation as defined in the spec one has to maintain persistency. Is there a way to workaround persistency for that case?
- The standard relates to parsing of multiple Security headers by the same actor as ambiguous - it considers the order in which they are parsed is undefined. If I want to serve many clients that I didn't priorly agree on the Security headers parsing order, what would you suggest?
- Can somebody recommend on an open-source/free library of encryption/encoding/digest algorithms that will fit the requirements of SOAP Message Security spec, XML Digital Signatures spec, and XML Encryption spec (sha1, base64, etc etc..).
- Would you recommend returning a fault-message for an error, such as invalid key, or just reject the message without sending any fault message. I have read recommendations for not returning a value, in order to mitigate cases of DoS.
- All "any" attributes and elements specified in the SOAP Message Security 1.1 Spec, for example /wsse:Security/@{any} and /wsse:Security/{any} specify the following - "Unrecognized elements SHOULD cause a fault.". Would you recommend rejecting the message in such case as schema invalid? What would be the concern in such case?
I appreciate any help!
Thanks,
Jason
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]