On Tue, Aug 19, 2008 at 3:08 AM, Glen Mazza <[EMAIL PROTECTED]> wrote: > > > You can as an additional safeguard, but so long as you are encrypting and > signing, I believe that's redundant (and computationally expensive). I > would check your Wireshark results with and without SSL to see the > difference--see bottom of this link: > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the . >
I know that this may be view as redundant, but software I'm creating is supposed to be as secure as possible so it's not my decision. > > I don't believe the service uses the alias name--there are actual multiple > key reference mechanisms available in the SOAP request--Subject Key > Identifier, Thumbprint, Issuer, etc.: > http://www.jroller.com/gmazza/entry/using_openssl_to_create_certificates > (openssl is needed by Metro only, not CXF, btw). If you look at the > WSS4J-encrypted SOAP request (see bottom of above link again--do this before > you encrypt via SSL), you'll see the reference mechanism used by WSS4J. > Incidentally, the reference mechanism used by default with WSS4J may or may > not be optimal...I have not researched that enough yet. > > The most important thing is that the client's public key is imported into > the WSS4J-defined truststore of the web service (*not* the JEE server's > truststore). See step #6, servicekeystore.properties at the link at the top. > Based on you additional remarks I managed to turn on SSL communication. However, there is one more issue. The only configuration that works is the following: - web application with CXFServlet under Glassfish with no security limitations (no <login-config> element) - client authentication in HTTP Listerner for SSL in Glassfish turned off - http:conduit properly configured in web service client. Any other configuration is not working. There is one problem - with the above configuration I have SSL with server authentication only. Any other config I would like to have also client (web service client) authentication. I tried to define security settings (see below) in web.xml, but then I get SOAP Exception. Connection is broker somewhere in beetween. web.xml extract <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>certificate</realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Web Service</web-resource-name> <url-pattern>/services/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>TheRoleName</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> I quest that http:conduit is not able to present some certificate to the server in order to authenticate itself. The certificate is naturally store in the keystore/truststore the http:conduit is working with. Do you have any ideas what may cause the broken connection? Regards, -- Łukasz Pijanowski
