Hi Dan and Dan
I think the attribute names maybe slightly different to the ones mentioned
below - looking at the code in SSLUtils.java propagateSecureSession they seem
to be
"javax.servlet.request.cipher_suite" and
"javax.servlet.request.X509Certificate".
or if you feel like going the interceptor route the code would look something
like (though you will need to add code to distinguish between the clients own
certificate and the client's own certificate's CA chain
....
public class TestInterceptor extends AbstractPhaseInterceptor<Message> {
public TestInterceptor() {
super(Phase.RECEIVE);
}
public void handleMessage(Message message) throws Fault {
// TODO Auto-generated method stub
TLSSessionInfo tlsSessionInfo =
(TLSSessionInfo)message.get(TLSSessionInfo.class);
Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
for (int i = 0; i < peerCerts.length; i++) {
X509Certificate x509certificate = (X509Certificate)peerCerts[i];
System.out.println("x509certificate " +
x509certificate.getSubjectDN());
}
}
}
the output would look like
x509certificate CN=bob, OU=eng, O=mycompany.com
x509certificate CN=trent, OU=eng, O=mycompany.com
Regs
Eamonn
> From: [email protected]
> To: [email protected]
> Subject: Re: Determining Caller's Identity
> Date: Wed, 19 Aug 2009 13:53:49 -0400
> CC: [email protected]
>
> On Wed August 19 2009 1:20:25 pm Stephen Langella wrote:
> > Josef,
> >
> > I tried what you suggested but context.getUserPrincipal() returned
> > null. Keep in mind I am using X.509 client certificates to authenticate
> > with the server, I am trying to get the subject DN from the clients
> > certificate as opposed to a basic authentication user id. Is this
> > supported or am I doing something wrong? In Googling around I found a
> > JIRA issue related to this and it is not clear whether or not what I am
> > trying to do is supported:
> >
> > https://issues.apache.org/jira/browse/CXF-1680
>
> That had to do with X509 things withing a WS-Security secured message, not
> really using certs for SSL/https. For https, what you probably need to do
> is
> pull the HttpServletRequest out of the context
> (context.get(MessageContext.SERVLET_REQUEST)) and then use the
> HttpServletRequest.getAttribute(...) call to retrieve the various HTTPS
> attributes. "javax.net.ssl.peer_certificates" and
> "javax.net.ssl.cipher_suite" and such.
>
> Dan
>
>
> >
> > I would appreciate if someone would comment, thanks in advance.
> >
> > --Steve
> >
> > Stephen Langella
> > Co-Director
> > Software Research Institute
> > Center for IT Innovations in Healthcare
> > Ohio State University
> >
> > Senior Researcher
> > Department of Biomedical Informatics
> > Ohio State University
> >
> > Office: (614) 293-9534
> > Lab: (614) 292-8420
> > [email protected]
> >
> > > From: Josef Bajada <[email protected]>
> > > Reply-To: <[email protected]>
> > > Date: Wed, 19 Aug 2009 15:03:05 +0200
> > > To: <[email protected]>
> > > Subject: RE: Determining Caller's Identity
> > >
> > > If you use the servlet container's authentication and transport security
> > > methods (through WEB-INF/web.xml) to force authentication (such as HTTP
> > > BASIC Auth over HTTPS), you can simply put the following line in your
> > > service implementation class.
> > >
> > >
> > > /**
> > > * The web-service context will be automatically injected by the
> > > JAX-WS Container.
> > > */
> > > @Resource
> > > private WebServiceContext context;
> > >
> > >
> > > //in your methods where you need to check the caller:
> > > if (context.getUserPrincipal() != null)
> > > {
> > > log.info(getUserPrincipal().getName() + ":: just called our
> > > methods");
> > > }
> > >
> > > Regards,
> > > Josef
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Eamonn Dwyer [mailto:[email protected]]
> > > Sent: 19 August 2009 12:57
> > > To: [email protected]
> > > Subject: RE: Determining Caller's Identity
> > >
> > >
> > > Hi Stephen
> > > Not quite what you want but maybe you could do something like this
> > > inside an interceptor rather than inside your service.
> > >
> > > TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
> > > Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> > > ... check the peer certificates and authorize based on this
> > >
> > > Regards
> > > Eamonn
> > >
> > >> From: [email protected]
> > >> To: [email protected]
> > >> Subject: Determining Caller's Identity
> > >> Date: Tue, 18 Aug 2009 14:37:12 -0400
> > >>
> > >> I have written and Apache CXF Web Service (WSDL First), inside the
> > >> service I want to enforce authorization based on the identity of the
> > >> client that called the service. I wanted to know if there was an API
> > >>
> > >> call I can make from the service implementation to obtain the client
> > >> identity. For example if the client authenticate over HTTPS with a
> > >> client certificate.
> > >>
> > >> --Steve
> > >>
> > >> Stephen Langella
> > >> Co-Founder
> > >> Inventrio, LLC
> > >> www.inventrio.com
> > >>
> > >> [email protected]
> > >
> > > _________________________________________________________________
> > > See all the ways you can stay connected to friends and family
> > > http://www.microsoft.com/windows/windowslive/default.aspx
>
> --
> Daniel Kulp
> [email protected]
> http://www.dankulp.com/blog
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
