I've done some basic testing and setup with x509 certificates, but i have a
few requirements that i'm trying to figure out how i could implement.
1) I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me.
I have a service available that i can go and get all the public keys for
anyone, but i want to do that on demand, so that i don't have to maintain a
local key store. How could one go about doing this?
2) Then of course i need to check a revocation list, so i'm assuming i could
just use an interceptor to go and check that? or??
3) then the question comes to authorization, (since i've already done the
above to validate that i know who they are.. ) Should this be done in a
separate interceptor? I am talking i want to authorize at the per service
layer or operation, not at the whole application..
How early should i try to do this.. i think i was able to get what the user
is doing on what interface
message.get(Message.WSDL_OPERATION)
message.get(Message.WSDL_INTERFACE)
and who the user is:
//ignore the ugly code
Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
WSSecurityEngineResult r = (WSSecurityEngineResult)
((WSHandlerResult) v.get(0)).getResults().get(0);
WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
then i could take the user and what they are doing and validate that they
are authorized for that operation.
Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
this the right place for that?
If anyone has had to do anything like this and has sample code, i'd
appreciate it.
Cole
