On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote: > I've done some basic testing and setup with x509 certificates, but i have a > few requirements that i'm trying to figure out how i could implement. > > 1) I want to be able to accept an signed (not encrypted) message without > having the public key in my keystore prior to someone calling me. > I have a service available that i can go and get all the public keys for > anyone, but i want to do that on demand, so that i don't have to maintain a > local key store. How could one go about doing this?
This PROBABLY should be redirected to the WSS4J list. I THINK the only way to do this would be to write your own org.apache.ws.security.components.crypto.Crypto object that implements all the needed methods. That's the class that WSS4J uses to handle all the key manipulation and such. You would set your classname in the properties file instead of the Merlin version. > 2) Then of course i need to check a revocation list, so i'm assuming i > could just use an interceptor to go and check that? or?? An interceptor could work here. Alternatively, the Crypto object you create above could just throw an exception if a revoked cert is asked for. > 3) then the question comes to authorization, (since i've already done the > above to validate that i know who they are.. ) Should this be done in a > separate interceptor? I am talking i want to authorize at the per service > layer or operation, not at the whole application.. > How early should i try to do this.. i think i was able to get what the > user is doing on what interface > message.get(Message.WSDL_OPERATION) > message.get(Message.WSDL_INTERFACE) > and who the user is: > //ignore the ugly code > Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS); > WSSecurityEngineResult r = (WSSecurityEngineResult) > ((WSHandlerResult) v.get(0)).getResults().get(0); > WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal) > r.get(WSSecurityEngineResult.TAG_PRINCIPAL); > > then i could take the user and what they are doing and validate that they > are authorized for that operation. > > Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is > this the right place for that? Yep. You can simplify a bit by doing: SecurityContext sc = msg.get(SecurityContext.class); Principal p = sc.getUserPrincipal(); > If anyone has had to do anything like this and has sample code, i'd > appreciate it. > > Cole > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
