Thank you very much for your quick answer. I'll try every step ASAP. By the way, just to make sure, I have some questions regarding your answer.
>>3.) Now each requester's signature will be verified by the security
>>module as and when it reaches the service.
If it passes this step, can I say that "It is coming from one of my trusted senders and it's not intruded during transfer." ?
>>4.) At the service you can identify the client that sent the request
>>using the information available in the message context.
- Do you mean that "even the incomming message passes the 3th step, I'm still not aware of the sender and if I want to identify the sender, I need to follow instructions in 4th step" ?
- If your answer is "yes", is it possible to do this before executing any service instead of at the beginning of each service?
One more question. If I use client side certification based security model, do I still need to authenticate each message?
Thanks a lot,
Ali Sadik Kumlali
Ruchith Fernando <[EMAIL PROTECTED]> wrote:
Hi Ali,
You can certainly do what you want with Axis2 using the security module.
You have to make sure that:
1.) Configure the service to expect the requests to be signed
2.) Public key certificates of each client must be imported into the
service's keystore. This is required in verifying the cert after
signature verification.
3.) Now each requester's signature will be verified by the security
module as and when it reaches the service.
4.) At the service you can identify the client that sent the request
using the information available in the message context.
There is a vector of security results available in the message context
by the key WSHandlerConstants.RECV_RESULTS.
Following code snippet shows how to extract the java.security.Principal
Vector results = null;
// get the result Vector from the property
if ((results = (Vector)
msgContext.getProperty(WSHandlerConstants.RECV_RESULTS))== null) {
System.out.println("No security results!!");
}
for (int i = 0; i < results.size(); i++) {
WSHandlerResult hResult = (WSHandlerResult)results.get(i);
String actor = hResult.getActor();
Vector hResults = hResult.getResults();
for (int j = 0; j < hResults.size(); j++) {
WSSecurityEngineResult eResult = (WSSecurityEngineResult)hResults.get(j);
if (eResult.getAction() != WSConstants.SIGN) {
System.out.println(eResult.getPrincipal().getName());
}
}
}
Thanks,
Ruchith
On 3/16/06, Ali Sadik Kumlali <[EMAIL PROTECTED]> wrote:
> Dear all,
>
&g t; Sorry if this a strange question, but I'm very new to web service security
> topic.
>
> Let me list my situation and needs step by step:
> 1) I have many clients
> 2) Each client has its own certificate
> 3) Each client send SOAP messages by signing with its certificate
> 4) I use Axis2 and WS-Security extentions
> 5) I need to recognize each sender uniquely and verify the message according
> to the sender's own certificate.
> 6) AFAIK, it's not necessary to use Username-token profile if I verify each
> message with sender's certificate.
>
> Some of the items seems very odd. If you beleive I'm going through correct
> way, please tell me how to build these up with Axis2. Otherwise, please let
> me know what kind of approach should I use to handle multiple client
> certificates.
>
> Thanks in advance,
>
> Ali Sadik Kumlali
>
>
>
> ________________________________
> Yahoo! Mail
> Bring photos to life! New PhotoMail makes sharing a breeze.
>
>
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
