Hi ! I am designing a security solution ordered from the Security architect for a customer i work for. The requirement is to use a two-way ssl handshake in order indentify/authenticate system access to webservices. Except the authentication of the system against CA Certificate, authorization map is needed to determine which systems have access to which services.
The systems enduser must also be propagated in the call for auditing logging purposes. The infrastructure used is Apache webbserver 2.2.X, Tomcat 6, Private CA and CXF 2.2.4 of course. In order to make this to work there are a number of options to accomplish the same thing. Therefore i just want to discuss the solution with you here at the forum, to achieve the other opions and knowledge than my own. *Certificates generated by private CA *HTTPConduit can be used to establish the two-way ssl handshake with use of client-certificate used in conjunction with jaxws-client. Is there a way to add the system identity to the Principal object along with the username which indentifies the user ? One option would be to use X509 Token Profile or CLIENT-CERT authentication or ? *Customized authorization based on client-certificates subject dn, map against the service/-es. ? Any built in support for this? *WSS Security, wit WSS4j to accomplish propagation if the username, no need for authentication, though include the username in the Principal in the webservicecontext. Does the WSS4J interceptor put the username in the Principal object on the Webservicecontext which is injected with @Resource annotation ? If not, howto ? Thanks in advance. Regards, Daniel -- View this message in context: http://old.nabble.com/SSL-with-mutual-authentication-for-system-and-propagating-username-in-same-call-tp26587711p26587711.html Sent from the cxf-user mailing list archive at Nabble.com.
