The WSS4J Handler configuration properties WSHandlerConstants#USE_REQ_SIG_CERT and WSHandlerConstants#ENCRYPTION_USER might be what you are looking for.
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html#ENCRYPTION_USER http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html#USE_REQ_SIG_CERT -----Original Message----- From: Johan Edstrom [mailto:[email protected]] On Behalf Of Johan Edstrom Sent: Friday, March 05, 2010 10:41 AM To: [email protected] Subject: Re: WS-Security Encryption/Decryption Advice Did you look at the testcases for this? I think there is a wibble client and a cherry server. It also has shell files to create the certs and such. On Mar 4, 2010, at 7:01 PM, Sebastian Krueger wrote: > Hi guys, > > I'm currently developing a secure webservices scenario using Apache > CXF/WSS4J. > > We require all messages to be signed and encrypted. This includes both > messages to and from the server. > > I have gone through all the WS-Security examples in the Apache CXF Samples > directory and have been able to get most of this > functionality going. However, I can't seem to figure out how to encrypt > messages going back to the client, using the public certificate > that is provided in the inbound message's SOAP Header. > > To expand on this, the following is how it should work: > > 1. Client uses private key to generate signature and puts their public > certificate into the SOAP Header > 2. Client uses server's public key to encrypt message > 3. Client sends message to server > > 4. Server decrypts message with server's private key > 5. Server extracts clients public certificate from SOAP Header and verifies > validity with CA's public key > 6. Server uses clients public certificate from SOAP Header to verify > signature > > 7. Server generates response message > > 8. Server uses private key to generate signature and puts their public > certificate into the SOAP Header > 9. Server uses clients public certificate (from inbound SOAP Header) to > encrypt the signed message > 10. Server sends message client > > 11. Client decrypts message with their private key > 12. Client extracts server's public certificate from SOAP Header and > verifies validity with CA's public key > 13. Client uses signing certificate from SOAP Header to verify signature > > I have got most of this already working. > > However, how to do step 9 is not clear to me and I am seeking some advice on > how to do this. > > My existing implementation uses the following applicationContext.xml files: > > Client: http://pastebin.com/DQJadG7p > > Server: http://pastebin.com/cu3gVxSu > > Thanks for your help! > > Regards, sebastian. Johan Edstrom [email protected] They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety. Benjamin Franklin, Historical Review of Pennsylvania, 1759
