Re: Custom X509TokenValidator??

Tue, 22 May 2012 03:10:15 -0700 

If you want to authenticate with an X.509 certificate over TLS, you
need a policy that uses the TransportBinding (that doesn't require
client authentication), and specify an EndorsingSupportingToken which
contains an X509 Token. Something like:

<wsp:Policy wsu:Id="DoubleItTransportEndorsingPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:TransportBinding>
                    <wsp:Policy>
                        <sp:TransportToken>
                            <wsp:Policy>
                                <sp:HttpsToken>
                                    <wsp:Policy/>
                                </sp:HttpsToken>
                            </wsp:Policy>
                        </sp:TransportToken>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Lax />
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp />
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic128 />
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                </sp:TransportBinding>
                <sp:EndorsingSupportingTokens>
                   <wsp:Policy>
                        <sp:X509Token

sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                           <wsp:Policy>
                              <sp:WssX509V3Token10 />
                           </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:EndorsingSupportingTokens>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

Colm.

On Mon, May 21, 2012 at 7:32 PM, semecxf <[email protected]> wrote:
> I have following policy for user authenticating with X509 certificate, but I
> did not find any interceptor to get user info from certificate. Any idea to
> deal with X509 certificate authentication?
> I already tried sign and encrypt they work fine, I just want authentication.
>
> <wsp:Policy wsu:Id="UsernameToken_Policy"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
>
>      <sp:SupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>        <wsp:Policy>
>                <sp:X509Token
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
>                        <wsp:Policy>
>                                <sp:WssX509V3Token10/>
>                        </wsp:Policy>
>                </sp:X509Token>
>        </wsp:Policy>
>        <sp:TransportToken>
>            <wsp:Policy>
>                <sp:HttpsToken>
>                    <wsp:Policy/>
>                </sp:HttpsToken>
>             </wsp:Policy>
> </sp:TransportToken>
>    </sp:SupportingTokens>
>  </wsp:Policy>
>
> --
> View this message in context: 
> http://cxf.547215.n5.nabble.com/Custom-X509TokenValidator-tp5708191.html
> Sent from the cxf-dev mailing list archive at Nabble.com.



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to