Hello, I, too, am interested in intelligent ways to implement this solution and so am interested in any feedback on this. We recently implemented something similar and I've got an axe to grind. 2-way SSL is a bit of an annoyance as it's really out-of-band with the web service. CXF has essentially no role to play (aside from the fact that I configured 2-way ssl in cxf.xml), so the certificates used for client authentication must be separately accessed if you want to include something from that in the message. In our case, we were able to extract the DN from the client SSL certificate on the server side and then do a look-up with that DN for authorization of the particular action. But that's a mess. Depending on how requirement-y your requirements are, it feels like a better solution is to use 1-way SSL to secure the channel and then use WSS to identify the individual call inside the ssl connection. This has the advantage of putting all authentication and authorization inside the message and relying on SSL only to secure the transport channel. It should probably be noted that these are all essentially in pursuit of a stateless solution where every message is individually authorized, as opposed to a solution that implements some sort of a login (which is how I used to operate in the XFire world).
Given all that, I'd be interested in hearing the opinion of someone who knows what they're talking about. Best, Nate -----Original Message----- From: forda [mailto:[email protected]] Sent: Tuesday, December 01, 2009 2:36 AM To: [email protected] Subject: SSL with mutual authentication for system and propagating username in same call Hi ! I am designing a security solution ordered from the Security architect for a customer i work for. The requirement is to use a two-way ssl handshake in order indentify/authenticate system access to webservices. Except the authentication of the system against CA Certificate, authorization map is needed to determine which systems have access to which services. The systems enduser must also be propagated in the call for auditing logging purposes. The infrastructure used is Apache webbserver 2.2.X, Tomcat 6, Private CA and CXF 2.2.4 of course. In order to make this to work there are a number of options to accomplish the same thing. Therefore i just want to discuss the solution with you here at the forum, to achieve the other opions and knowledge than my own. *Certificates generated by private CA *HTTPConduit can be used to establish the two-way ssl handshake with use of client-certificate used in conjunction with jaxws-client. Is there a way to add the system identity to the Principal object along with the username which indentifies the user ? One option would be to use X509 Token Profile or CLIENT-CERT authentication or ? *Customized authorization based on client-certificates subject dn, map against the service/-es. ? Any built in support for this? *WSS Security, wit WSS4j to accomplish propagation if the username, no need for authentication, though include the username in the Principal in the webservicecontext. Does the WSS4J interceptor put the username in the Principal object on the Webservicecontext which is injected with @Resource annotation ? If not, howto ? Thanks in advance. Regards, Daniel -- View this message in context: http://old.nabble.com/SSL-with-mutual-authentication-for-system-and-prop agating-username-in-same-call-tp26587711p26587711.html Sent from the cxf-user mailing list archive at Nabble.com.
