Version 2 (modified by pjkersha, 13 years ago) (diff)


Conversion of NDG Security WS Interfaces to use WS-Security

Current Status

The Alpha version of the s/w uses message level security based on pyXMLSec and ZSI. WSDL interface message arguments are signed and or encrypted before dispatch.

Reasons for Change

  • Current solution is bespoke. A more standards based solution is preferred.
  • DEWS project requires use of WS-Security
  • Standardised interface will enable smoother interoperation with clients written in other languages such as Java
  • A secondary issue is that pyXMLSec can be difficult to use. It would be helpful to remove it as dependency
  • pGridWare + ZSI may give an off the shelf solution.

Approaches to a Solution

  • Investigate pyGridWare and experiment with examples
  • Implement custom solution for WS-Security but using ZSI - This would enable an interface according to what we need with minimal dependencies on other packages.
  • Look at IBM WebSphere - to be used with DEWS project. Check WS-Security support and how best to interface to it.

XML Signature

pyGridWare uses sha package for digest generation and M2Crypto for signing. A DOM based canonicalisation algorithm has been added to ZSI. This get a mention on a Python mailing list from May 2002:

Custom Signature Code

Objective: emulate digital signature using the above and validate against pyXMLSec Version.

pyXMLSec has been used in NDG up until now with enveloped signature e.g. for signed Attribute Certificates. For WS-Security we need to be able to use a reference instead, set to the particular part of the SAOP message body to be signed.

XML Encryption