I am wondering

... if anyone has actually ever used Axis 1(.4) and ws-security! Today we discovered yet another "feature" of Axis which render some client requests invalid though they are actually ok.

It is the "extra feature" of checking the order of actions (given by "action" parameter to WSDoAllReceiver) which causes my headaches this time. If you have no control of the clients from which you receive requests, they may produce XML in which the signature and timestamp may be in "random" order, but axis expects them to come in the order as specified by the "action" parameter. There is not apparent reason why this extra check is done and it does not give any extra security..

Oh well - back to the editor...

C my pointer?

It's been awhile since I last wrote a line of C but I find myself in need of writing an Apache(2) module, so I better dust of my "C for dummies" book and start programming.
I just really dislike the whole "make" process ..

Axis

I've been using Axis 1.x for many years and I did a small test-run of Axis2 some months ago, but it doesn't seem to be any better than Axis1 (just different and a lot less "mature"). The Axis1 branch is way to complex for the problem it's solving. If you fix a bug or implement a feature you are likely to be introducing another couple of bugs, since the code-base is just a big mess.

Well anyways, I just recently fixed a bug in Axis for a project, where the MessageContext's requestMessage was changed before the WSDoAllReceiver handler (for ws-security) had a chance to verify the xml causing a "Verification failed" error for 2 signature elements. The error was, ofcourse, Axis pretty printing. Some messages worked ok, other were changed and since the canonicalizer does not change the newline and blanks, I was unable to verify the messages.

later...