Hi again A quick check of the code and docs yielded the following that "may" work but I haven't checked it myself...
You can look at how to get access to your HTTPConduit object from http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+(including+SSL+support) then you can call TLSClientParameters tlsCP = httpConduit.getTlsClientParameters(); KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword); tlsCP.setKeyManagers(myKeyManagers); ... KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword) throws GeneralSecurityException, IOException { // For tests, we just use the default algorithm String alg = KeyManagerFactory.getDefaultAlgorithm(); char[] keyPass = keyPassword != null ? keyPassword.toCharArray() : null; // For tests, we just use the default provider. KeyManagerFactory fac = KeyManagerFactory.getInstance(alg); fac.init(keyStore, keyPass); return fac.getKeyManagers(); } Hope this helps Eamonn -----Original Message----- From: Eamonn Dwyer [mailto:[email protected]] Sent: 27 May 2009 10:22 To: [email protected] Subject: RE: AW: Send X509Certificate with request Hi Michael, (I guess this depends on the outcome of the thread started by Mary about whether TLS sends a client certificate or not, but if I'm correct and it does the following should be relevant). Off the top of my head I can't think of any way to set it programmatically (I'll have a look now to see if I can see any way) but, in the meantime, is there a chance your use case allows you to simply configure the client certificate in spring config? For example <http:conduit name="{http://me.com/greeter}TestPort.http-conduit"; > <http:tlsClientParameters> <cxfsec:keyManagers keyPassword="password"> <cxfsec:keyStore type="jks" resource="keys/claire.jks" password="password"/> </cxfsec:keyManagers> <cxfsec:trustManagers> <cxfsec:certStore resource="keys/trent-cert.pem"/> </cxfsec:trustManagers> </http:tlsClientParameters> </http:conduit> In the above example your client would automatically send the certificate in Claire.jks to the server when the server is configured to require it. In particular it will send it to the TestPort. You can configure your client to send different certificates to different endpoints within the server. Hope this helps Eamonn -----Original Message----- From: Michael Szalay [mailto:[email protected]] Sent: 26 May 2009 10:48 To: [email protected] Subject: AW: AW: Send X509Certificate with request Hi yes, thats that I was looking for. Its just the tls authentication... Is there a programmatic way to set that property you mentioned to a client to send a specific certificate? Regards Michael -----Ursprüngliche Nachricht----- Von: Eamonn Dwyer [mailto:[email protected]] Gesendet: Dienstag, 26. Mai 2009 11:42 An: [email protected] Betreff: RE: AW: Send X509Certificate with request Hi Michael I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you? For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication <cxfsec:clientAuthentication want="true" required="true"/> Regards, Eamonn -----Original Message----- From: Mayank Mishra [mailto:[email protected]] Sent: 25 May 2009 12:51 To: [email protected] Subject: Re: AW: Send X509Certificate with request Hi Michael, I remember one way to send the public key certificate with your request from client to server. There is a "DirectReference" KeyIdentifier for Signature operation (make "signatureKeyIdentifier" property to "DirectReference"). If we use this your certificate is included as a BinarySecurityToken (BST) in the message and a direct reference to this BST is used. But at the receiving side (say on server) you have to manually tweak the code of WSS4J to extract out the certificate yourself. With Regards, Mayank On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[email protected]> wrote: > On Wed May 20 2009 9:32:34 am Tom wrote: > > AFAIK you do not add a certificate to the request, the request only is > > signed. Certificates are added to the keystores on each side, so the > > signature can be created / verified. > > Not ALWAYS true. If the WS-SecurityPolicy specifies an KeyValueToken as a > token type, then the Security engine would output an RSAKeyValue key in the > security header which WOULD be the full key. That key can then be used > to > sign the message, encrypt, etc.... Not really "secure", but useful for an > endorsing mechanism. > > On the receiving side, you WOULD need to write a callback handler to > validate > the key. By default, WSS4J will reject the key as it won't know whether > to > trust it or not. > > Dan > > > > > Tom > > > > Michael Szalay wrote: > > > Thanks for the link. But the document describes the signing of the > > > request, not adding a certificate to the http request for mutual > > > authentication, right? > > > > > > Regards > > > > > > Michael > > > > > > -----Ursprüngliche Nachricht----- > > > Von: Glen Mazza [mailto:[email protected]] > > > Gesendet: Mittwoch, 20. Mai 2009 15:19 > > > An: [email protected] > > > Betreff: Re: Send X509Certificate with request > > > > > > > > > > > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the? > > > > > > HTH, > > > Glen > > > > > > mszalay wrote: > > >> Hi all > > >> > > >> I have a question using Apache CXF as a client for a web service. > > >> I would like to send a certificate within the request for mutual > > >> authentication. > > >> > > >> How can I programmatically add a certificate to the request? > > >> I looked for a method like TLSClientParameters.addCertificate but > > >> I have not found somehing like that. > > >> > > >> Regards > > >> > > >> Michael > > -- > Daniel Kulp > [email protected] > http://www.dankulp.com/blog >
