XML Security Tools Proposal
The XML Security Tools is a proposed open source component under the Eclipse Web Tools Project.
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process document) and is written to declare its intent and scope. This proposal is written to solicit additional participation and input from the Eclipse community. You are invited to comment on and/or join the component. Please send all feedback to the Web Tools newsgroup.
The initial contribution pdf document is available .
XML is available almost everywhere nowadays. As configuration files, for data exchange, in XML enabled databases, web services and many more. And a lot of these applications and services do not secure their XML documents: neither encryption nor digital signatures are applied. Or standard transport security like https is used. This destroys the advantages of XML and prevents parsing.
XML Security provides many advantages: the XML structure of the XML document remains intact, independent of the applied signature or encryption (or both). Arbitrary elements or element content can be secured, with different keys if desired. XML Security provides end-to-end-security, applying security directly to the message (information), not to the transport.
The XML Security Tools will show developers, how to secure XML documents and enable them to use these security features in their own environment. The intention of the tool is to spread the use of XML Security and to show users the power of the W3C recommendations.
The XML Security Tools will be based on a contribution from the XML-Security Plug-In project. This project was created by Dominik Schadow and is hosted on SourceForge. The goal of this project is to provide trained and untrained users and developers an easy access to XML Security: wizards and views to sign, verify, encrypt and decrypt arbitrary XML documents in different (XML) editors. The intention for the plug-in therefore was to teach users all about XML Security and to enable all users to easily secure their own XML documents. The plug-in is not only focused on e-learning, the XML Security tools can be used in a production environment too.
The XML-Security Plug-In uses the Apache XML Security API (Santuario) for securing XML documents. The included extensive online help enables new users to learn all about XML Security. The plug-in has an English GUI; the help files are completely in German.
Both W3C recommendations do not implement or require any new crypto algorithms that are not commonly available (the recommendations require some well known algorithms and recommend some more (optional) other). Apache Santuario does not offer or require any algorithm implementation; neither does the XML-Security Plug-In.
The algorithms that are required by both W3C recommendations are available in a standard Java installation (maybe not with the maximum strength). Of course crypto libraries like BouncyCastle can be used as well, which offer some more algorithms.
We propose sources under EPL for initial contribution, including customizable signing, verifying, encrypting and decrypting of XML files based on the W3C XML Signature, XML Encryption and other related specifications.
XML Security Tools features are organized into different topics:
- XML Digital Signatures and Verification
- XML Encryption and Decryption
- Utils like Canonicalization, key generation
The primary focus of the XML Security Tools component will be on extensibility & robustness of basic features.
The contribution will consist of an initial set of source plug-ins based on the XML-Security Plug-In
The core plug-in (several wizards, view, preference pages).
Help contents (information about the W3C recommendations on XML security and a plug-in guide), completely in German.
Apache Xalan, required by org.apache.xml.security and de.xmlsicherheit.
Apache XML Security (Santuario).
Feature containing all four plug-ins.
- Initial Eclipse.org presence in ??? 2008
- CVS repository, seeded with source code from current contribution
- Bugzilla repository
- v0.5: ??? 2009
Initial committers and contributors
The initial committers will initially focus on providing an open, well documented API. Our agile development process will follow eclipse.org's standards for openness and transparency. Our goal is to provide the infrastructure and APIs needed to allow the integration/generation of additional model search engines.We also plan to help improve the Eclipse platform by submitting patches and extension point suggestions. The initial team will consist of several part-time resources:
Dominik is the developer of the XML-Security Plug-In, the Eclipse e-learning plug-in for XML security, and has been working with XML Security for several years now. He is also the lead of the JCrypTool project, which develops a cryptography e-learning rich client based on the Eclipse Rich Client Platform.
- David Carver - Standards for Technology in Automotive Retail
David is one of the committers on the XSL Tools incubator project. He has been working on the content assistance and XPath parsing abilities. He is also mentoring the XQuery Summer of Code project. He works daily with wide variety of XML related technologies for the Automotive retail industry.
The Web Services, SOA, and XML communities are obviously the main target and audience for this component. We are expecting and will actively pursue during the proposal and incubation phases, active participation.
- Standards for Technology in Automotive Retail - in business to business web services, there is a need at times to do payload as well as indiviual element encryption. The XML Encryption and XML Digital Signature specifications play a vital role in many Web Service specifications.
The existing Web Service and XML developer/user community will be the primary user base. The XML-Security Plug-In already has a (smaller) user community, mainly located in the educational area. Beyond education the XML-Security Plug-In can be of benefit in the following software stacks:
- Service Orient Architecture
- Web Services
- Encryption of SOAP Headers and Payloads
- Encryption of REST, and XML over HTTP web services.
- General Security of XML file content.