Thank you very much for the answer! I have another question related to Symmetric Binding. I have some problems in this area. I have read the Thread called: "DerivedKeys in SymmetricBinding" but it partly touches the problem. Because it could be of someone's interest I will open a new thread.
Regards, Dobri On 10/12/07, Nandana Mihindukulasooriya <[EMAIL PROTECTED]> wrote: > > Hi Dobri, > > Comments are interleaved. > > so why you are > > saying the following: > > > > "In your case, you don't have any signed parts or signed elements > > defined. But > > the policy states to include the time stamp and the time stamp will be > > signed using > > the clients certificate. As the policy states IncludeToken=" > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > > in the recipient token , the binary token will be included in the soap > > request." > > Why I need to have something signed in order to transfer the X509 cert? > > > You really don't need to sign anything to transfer the certificate. You > can > set > the IncludeToken attribute correctly and send the security token. But in > the > server side > when we look for encryption user, if the property is set to > "useReqSigCert" > what we look > for is the certificate that is used to sign the request. > > > Can you explain it more precisely. Where I can read about that (e.g. > > articles etc I have not found any good resources about that). > > > > I got the point exactly when I was going through the code. In RampartUtil > class > in getReqSigCert(). > > Vector wsSecEngineResults = rResult.getResults(); > /* > * Scan the results for the first Signature action. Use the > * certificate of this Signature to set the certificate for the > * encryption action :-). > */ > for (int j = 0; j < wsSecEngineResults.size(); j++) { > WSSecurityEngineResult wser = > (WSSecurityEngineResult) wsSecEngineResults.get > (j); > Integer actInt = (Integer)wser.get( > WSSecurityEngineResult.TAG_ACTION); > if (actInt.intValue() == WSConstants.SIGN) { > return (X509Certificate)wser.get( > WSSecurityEngineResult.TAG_X509_CERTIFICATE); > } > } > > As you can see, actInt.intValue() == WSConstants.SIGN, we look for the > signed > parts of the message and get the certificate used to sign. > > IMHO, I think this is logical as user has to sign something and he > authenticate him self > by signing it with his private key. If what you really need is to deal > with > anonymous > clients , you can use a symmetric binding with derived keys so you don't > need client > certificate and still can use servers X509 certificate to derive keys and > use those derived > keys to sign and encrypt both the request and the response message. > > Regards, > Nandana >
