Hello all!
I am quite new to WS Security so chances are I have missed some basic
concepts here.
I have the following problem:
We would like to use two separate certificates for a client - one for
authentication (different for each client) and one for encryption
(being the same for all clients). Symmetric encryption is used, with
derived keys. On server side, we would like to make some checks based
on the client's certificate (the one used for authentication).
This is what the policy.xml looks like (the SymmetricBinding part):
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken=
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:AlgorithmSuite>
<wsp:Policy>
<!-- <sp:TripleDesRsa15/> -->
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
................................
and certificates config:
<ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>client</ramp:user>
<ramp:encryptionUser>server</ramp:encryptionUser>
<ramp:passwordCallbackClass>
com.client.PWCallback
</ramp:passwordCallbackClass>
<ramp:encryptionCypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">
JKS
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">
client.jks
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">
clientstore
</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
<ramp:signatureCrypto>
<ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">
JKS
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">
clientCrypto.jks
</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">
clientCryptoStore
</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
The problem is I cannot get the authentication certificate from the
MessageContext. Tried the following:
Vector results = (Vector)
ctx.getProperty(WSHandlerConstants.RECV_RESULTS);
if (null != results) {
for (Object result : results) {
WSHandlerResult hResult = (WSHandlerResult) result;
Vector hResults = hResult.getResults();
for (Object hResult1 : hResults) {
WSSecurityEngineResult eResult =
(WSSecurityEngineResult) hResult1;
int action = ((Integer)
eResult.get(WSSecurityEngineResult.TAG_ACTION));
System.out.println("Action: " + action);
if (action == WSConstants.TS) {
Integer ts = ((Integer)
eResult.get(WSSecurityEngineResult.TAG_TIMESTAMP));
System.out.println("Message has timestamp:" + ts);
}
WSDerivedKeyTokenPrincipal principal =
(WSDerivedKeyTokenPrincipal)
eResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
System.out.println("Principal:" + principal);
if (principal != null) {
System.out.println("Principal name:" +
principal.getName());
System.out.println("principal.getBasetokenId():" +
principal.getBasetokenId());
}
if (action == WSConstants.SIGN) {
X509Certificate certificate =
(X509Certificate)
eResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (certificate != null) {
System.out.println("IssuerDN: " +
certificate.getIssuerDN());
System.out.println("SubjectDN: " +
certificate.getSubjectDN());
System.out.println("SerialNumber: " +
certificate.getSerialNumber());
}
}
}
}
}
but Principal is based on the derived key (name is
"DerivedKeyId-8932374") and certificate is always null.
I am sure it is something basic I am missing in the configuration but
currently I have no clue what it is.
Please help!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
