MYSTREAMFILTER.JAVA 121 printText(xmlr); if(xmlr.isStartElement()){ printAttributes(xmlr); } printPIData(xmlr); System.out.println(" "); } Capturing the Event Stream The next step is to capture the event stream. This is done in basically the same way as in the EventParse.java sample. Filtering the Stream The final step is the filter the stream: public boolean accept(XMLStreamReader reader) { if(!reader.isStartElement() && !reader.isEndElement()) return false; else return true; } Running the Sample When you run the MyStreamFilter sample, the class is compiled, and the XML stream is parsed as events and returned to STDOUT. For example an Author event is returned as follows: EVENT TYPE(1):START_ELEMENT HAS NAME: Author HAS NO TEXT HAS NO ATTRIBUTES EVENT TYPE(2):END_ELEMENT HAS NAME: Author HAS NO TEXT 122 STREAMING API FOR XML Similarly, a Cost event is returned as follows: EVENT TYPE(1):START_ELEMENT HAS NAME: Cost HAS NO TEXT HAS ATTRIBUTES: ATTRIBUTE-PREFIX: ATTRIBUTE-NAMESP: null ATTRIBUTE-NAME: currency ATTRIBUTE-VALUE: INR ATTRIBUTE-TYPE: CDATA EVENT TYPE(2):END_ELEMENT HAS NAME: Cost HAS NO TEXT See earlier in this chapter, in the “Iterator API” and “Reading XML Streams” sections, for a more detailed discussion of StAX event parsing. EventProducerConsumer.java Located in the <JWSDP_HOME>/sjsxp/samples/readnwrite directory, EventPro- ducerConsumer.java demonstrates how to use a StAX parser simultaneously as both a producer and a consumer. The StAX XMLEventWriter API extends from the XMLEventConsumer interface, and is referred to as an event consumer. By contrast, XMLEventReader is an event producer. StAX supports simultaneous reading and writing, such that it is possi- ble to read from one XML stream sequentially and simultaneously write to another stream. This sample shows how the StAX producer/consumer mechanism can be used to read and write simultaneously. This sample also shows how a stream can be modified, and new events can be added dynamically and then written to different stream. EVENTPRODUCERCONSUMER.JAVA 123 Creating an Event Producer/Consumer The first step is to instantiate an event factory and then create an instance of an event producer/consumer: XMLEventFactory m_eventFactory=XMLEventFactory.newInstance(); public EventProducerConsumer() { } . . . try{ EventProducerConsumer ms = new EventProducerConsumer(); XMLEventReader reader = XMLInputFactory.newInstance().createXMLEventReader(new java.io.FileInputStream(args[0])); XMLEventWriter writer = XMLOutputFactory.newInstance().createXMLEventWriter(System.out ); Creating an Iterator The next step is to create an iterator to parse the stream: while(reader.hasNext()) { XMLEvent event = (XMLEvent)reader.next(); if(event.getEventType() == event.CHARACTERS) { writer.add(ms.getNewCharactersEvent(event.asCharacters())); } else { writer.add(event); } } writer.flush(); 124 STREAMING API FOR XML Creating a Writer The final step is to create a stream writer in the form of a new Character event: Characters getNewCharactersEvent(Characters event){ if(event.getData().equalsIgnoreCase("Name1")){ return m_eventFactory.createCharacters(Calendar.getInstance().getTime ().toString()); } //else return the same event else return event; } Running the Sample When you run the EventProducerConsumer sample, the class is compiled, and the XML stream is parsed as events and written back to STDOUT: <?xml version="1.0" encoding="UTF-8"?> <BookCatalogue xmlns="http://www.publishing.org"> <Book> <Title>Yogasana Vijnana: the Science of Yoga</Title> <Author>Dhirendra Brahmachari</Author> <Date>1966</Date> <ISBN>81-40-34319-4</ISBN> <Publisher>Dhirendra Yoga Publications</Publisher> <Cost currency="INR">11.50</Cost> </Book> <Book> <Title>The First and Last Freedom</Title> <Author>J. Krishnamurti</Author> <Date>1954</Date> <ISBN>0-06-064831-7</ISBN> <Publisher>Harper &amp; Row</Publisher> <Cost currency="USD">2.95</Cost> </Book> </BookCatalogue> FURTHER INFORMATION 125 Further Information For more information about StAX, see: • Java Community Process page: http://jcp.org/en/jsr/detail?id=173. • W3C Recommendation “Extensible Markup Language (XML) 1.0”: http://www.w3.org/TR/REC-xml • XML Information Set: http://www.w3.org/TR/xml-infoset/ • JAXB specification: http://java.sun.com/xml/jaxb • JAX-RPC specification: http//java.sun.com/xml/jaxrpc • W3C Recommendation “Document Object Model”: http://www.w3.org/DOM/ • SAX “Simple API for XML”: http://www.saxproject.org/ • DOM “Document Object Model”: http://www.w3.org/TR/2002/WD-DOM-Level-3-Core- 20020409/core.html#ID-B63ED1A3 • W3C Recommendation “Namespaces in XML”: http://www.w3.org/TR/REC-xml-names/ For some useful articles about working with StAX, see: • Jeff Ryan, “Does StAX Belong in Your XML Toolbox?”: http://www.developer.com/xml/article.php/3397691 • Elliotte Rusty Harold, “An Introduction to StAX”: http://www.xml.com/pub/a/2003/09/17/stax.html • “More efficient XML parsing with the Streaming API for XML”: http://www-106.ibm.com/developerworks/xml/library/x-tipstx/ 126 STREAMING API FOR XML 127 4 Introduction to XML and Web Services Security THIS addendum discusses using XML and Web Services Security (XWS- Security) for message-level security. In message-level security, security informa- tion is contained within the SOAP message and/or SOAP message attachment, which allows security information to travel along with the message or attach- ment. For example, a portion of the message may be signed by a sender and encrypted for a particular receiver. When the message is sent from the initial sender, it may pass through intermediate nodes before reaching its intended receiver. In this scenario, the encrypted portions continue to be opaque to any intermediate nodes and can only be decrypted by the intended receiver. For this reason, message-level security is also sometimes referred to as end-to-end secu- rity. 128 INTRODUCTION TO XML AND WEB SERVICES SECURITY Overview This release includes the following XWS-Security features: • Support for securing JAX-RPC applications at the service, port, and oper- ation levels. • XWS-Security APIs for securing both JAX-RPC applications and stand- alone applications that make use of SAAJ APIs only for their SOAP mes- saging. Note: The XWS-Security EA 2.0 APIs are intended to insulate XWS-Security users from possible changes in the internal APIs, however, these APIs are subject to minor changes between 2.0 EA and 2.0 FCS. • A sample security framework within which a JAX-RPC application devel- oper will be able to secure applications by signing, verifying, encrypting, and/or decrypting parts of SOAP messages and attachments. The message sender can also make claims about the security properties by associating security tokens with the message. An example of a security claim is the identity of the sender, identified by a user name and pass- word. • Support for SAML Tokens and the WSS SAML Token Profile (partial). • Support for securing attachments based on the WSS SwA Profile Draft. • Partial support for sending and receiving WS-I Basic Security Profile (BSP) 1.0 compliant messages. For more information about BSP, read Interoperability with Other Web Services. • Enhancements to the SecurityConfiguration Schema from the previous release. • Sample programs that demonstrate using the framework. • Command-line tools that provide specialized utilities for keystore manage- ment, including pkcs12import and keyexport. OVERVIEW 129 The XWS-Security release contents are arranged in the structure shown in Table 4–1 within the Java WSDP release: This implementation of XWS-Security is based on the Oasis Web Services Secu- rity (WSS) specification, which can be viewed at the following URL: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf Some of the material in this chapter assumes that you understand basic security concepts. To learn more about these concepts, we recommend that you explore the following resources before you begin this chapter. • The Java 2 Standard Edition discussion of security, which can be viewed from http://java.sun.com/j2se/1.5.0/docs/guide/security/index.html • The J2EE 1.4 Tutorial chapter titled Security, which can be viewed from http://java.sun.com/j2ee/1.4/docs/tutorial-update2/doc/index.html Table 4–1 XWS-Security directory structure Directory Name Contents <JWSDP_HOME>/ xws-security/etc/ Keystore files, property files, configuration files used for the exam- ples. <JWSDP_HOME>/ xws-security/docs/ Release documentation for the XWS-Security framework. For the latest updates to this documentation, visit the web site at http:// java.sun.com/webservices/docs/1.6/xws-security/index.html. <JWSDP_HOME>/ xws-security/docs/ api API documentation for the XWS-Security framework. <JWSDP_HOME>/ xws-security/lib/ JAR files containing the XWS-Security framework implementa- tion and dependent libraries. <JWSDP_HOME>/ xws-security/sam- ples/ Example code. This release includes sample applications. For more information on the samples, read Are There Any Sample Applications Demonstrating XWS-Security? <JWSDP_HOME>/ xws-security/bin/ Command-line tools that provide specialized utilities for keystore management. For more information on these, read Useful XWS- Security Command-Line Tools. 130 INTRODUCTION TO XML AND WEB SERVICES SECURITY Does XWS-Security Implement Any Specifications? XWS-Security is an implementation of the Web Services Security (WSS) speci- fication developed at OASIS. WSS defines a SOAP extension providing quality of protection through message integrity, message confidentiality, and message authentication. WSS mechanisms can be used to accommodate a wide variety of security models and encryption technologies. The WSS specification defines an end to end security framework that provides support for intermediary security processing. Message integrity is provided by using XML Signature in conjunction with security tokens to ensure that mes- sages are transmitted without modifications. Message confidentiality is granted by using XML Encryption in conjunction with security tokens to keep portions of SOAP messages confidential. In this release, the XWS-Security framework provides the following options for securing JAX-RPC applications: • XML Digital Signature (DSig) This implementation of XML and Web Services Security uses JSR-105 (XML Digital Signature APIs) for signing and verifying parts of a SOAP message or attachment. JSR-105 can be viewed at http://www.jcp.org/en/jsr/ detail?id=105 Samples containing code for signing and/or verifying parts of the SOAP message are included with this release in the directory <JWSDP_HOME>/ xws-security/samples/simple/ . Read Simple Security Configurations Sam- ple Application for more information on these sample applications. • XML Encryption (XML-Enc) This implementation of XML and Web Services Security uses Apache's XML-Enc implementation, which is based on the XML Encryption W3C standard. This standard can be viewed at http://www.w3.org/TR/ xmlenc-core/ . Samples containing code for encrypting and/or decrypting parts of the SOAP message are included with this release in the directory <JWSDP_HOME>/xws-security/samples/simple/. Read Simple Security Configurations Sample Application for more information on these sample appli- cations. • UsernameToken Verification [...]... algorithm=("http://www.w3.org/2001/ 04/ xmlenc#rsaoaep-mgf1p")| "http://www.w3.org/2001/ 04/ xmlenc#kwtripledes"| "http://www.w3.org/2001/ 04/ xmlenc#kwaes128" | "http://www.w3.org/2001/ 04/ xmlenc#kwaes256" | "http://www.w3.org/2001/ 04/ xmlenc#rsa- 141 142 INTRODUCTION TO XML AND WEB SERVICES SECURITY 1_5" /> ? ? . Yoga</Title> <Author>Dhirendra Brahmachari</Author> <Date>1966</Date> <ISBN>81 -40 - 343 19 -4& lt;/ISBN> <Publisher>Dhirendra Yoga Publications</Publisher> <Cost currency="INR">11.50</Cost> </Book> <Book> <Title>The. viewed from http://java.sun.com/j2se/1.5.0/docs/guide/security/index.html • The J2EE 1 .4 Tutorial chapter titled Security, which can be viewed from http://java.sun.com/j2ee/1 .4/ docs/tutorial-update2/doc/index.html Table 4 1 XWS-Security directory structure Directory. specification, which can be viewed at the following URL: http://docs.oasis-open.org/wss/20 04/ 01/oasis-20 040 1-wss-soap-message-security-1.0.pdf Some of the material in this chapter assumes that you