Even this?
!-- --
!-- This bean is an Out interceptor which will add a Timestamp,
--
!-- sign the Timstamp and Body, and then encrypt the Timestamp --
!-- and Body. It uses 3DES as the symmetric key algorithm. --
!-- --
bean
class=org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor
id=TimestampSignEncrypt_Request
constructor-arg
map
entry key=action value=Timestamp Signature
Encrypt/
!-- entry key=action value=Timestamp Signature/
--
entry key=user value=alice/
entry key=signaturePropFile value=org/apache/cxf/
systest/ws/security/alice.properties/
entry key=encryptionPropFile value=org/apache/cxf/
systest/ws/security/bob.properties/
entry key=encryptionUser value=Bob/
entry key=signatureKeyIdentifier
value=DirectReference/
entry key=passwordCallbackClass
value=org.apache.cxf.systest.ws.security.KeystorePasswordCallback/
entry key=signatureParts value={Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body/
!-- --
!-- Recommendation: signatures should be encrypted --
!-- --
entry key=encryptionParts value={Element}{http://www.w3.org/2000/09/xmldsig#
}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body/
!-- entry key=encryptionKeyTransportAlgorithm
value=RSA15/ --
entry key=encryptionSymAlgorithm value=http://www.w3.org/2001/04/xmlenc#tripledes-cbc
/
/map
/constructor-arg
/bean
!-- --
!-- This bean is an In interceptor which validated a signed, --
!-- encrypted resposne, and timestamped. --
!-- --
!-- --
bean
class=org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
id=TimestampSignEncrypt_Response
constructor-arg
map
entry key=action value=Timestamp Signature
Encrypt/
entry key=signaturePropFile value=org/apache/cxf/
systest/ws/security/bob.properties/
entry key=decryptionPropFile value=org/apache/cxf/
systest/ws/security/alice.properties/
entry key=passwordCallbackClass
value=org.apache.cxf.systest.ws.security.KeystorePasswordCallback/
/map
/constructor-arg
/bean
On Apr 14, 2008, at 2:51 AM, adam_j_bradley wrote:
Fred,
Thanks for the tip. Forgive me (I'm most likely wrong!) but that
looked like
a Username token not an X.509 token request. I've been digging
around in
http://xfire.codehaus.org/WS-Security but I can't see any wisdom
there.
Anything else?
:)
Sincerely,
Ada
Fred Dushin-3 wrote:
All I can recommend is that you have a look at the WS-Security system
test in CXF:
http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/
It's based loosely off a WS-Security interoperability scenario with
WCF, and uses signature with the DirectReference method, which will
send the client's X.509 certificate directly in the SOAP header.
--
View this message in context:
http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16671272.html
Sent from the cxf-user mailing list archive at Nabble.com.