Hi Jaime, What version of CXF are you using? There is a better way to do this than via a CXF interceptor from CXF 2.4.0 onwards. Trust validation is done by WSS4J via the SignatureTrustValidator, which is given the certificate used to verify the signature, and verifies trust via the CertPath API. You can simply plug your own Validator implementation in here instead. See this blog entry for more details:
http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html Colm. On Mon, Jul 18, 2011 at 7:30 PM, Jaime Hablutzel Egoavil <[email protected]> wrote: > Hi I have a web service exposed with cxf with this wsdl: > > <?xml version='1.0' encoding='UTF-8'?><wsdl: > definitions name="CXFLibraryImplService" targetNamespace=" > http://service2.ws.service.kprtech.com/"; xmlns:ns1=" > http://cxf.apache.org/bindings/xformat"; xmlns:soap=" > http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns=" > http://service2.ws.service.kprtech.com/"; xmlns:wsdl=" > http://schemas.xmlsoap.org/wsdl/"; xmlns:xsd=" > http://www.w3.org/2001/XMLSchema";> > <wsdl:types> > <xs:schema elementFormDefault="unqualified" targetNamespace=" > http://service2.ws.service.kprtech.com/"; version="1.0" xmlns:ns1=" > http://cxf.apache.org/bindings/xformat"; xmlns:soap=" > http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns=" > http://service2.ws.service.kprtech.com/"; xmlns:wsdl=" > http://schemas.xmlsoap.org/wsdl/"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > <xs:element name="sayHello" type="tns:sayHello" /> > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> > <xs:complexType name="sayHello"> > <xs:sequence> > <xs:element minOccurs="0" name="arg0" type="xs:string" /> > </xs:sequence> > </xs:complexType> > <xs:complexType name="sayHelloResponse"> > <xs:sequence> > <xs:element minOccurs="0" name="return" type="xs:string" /> > </xs:sequence> > </xs:complexType> > </xs:schema> > </wsdl:types> > <wsdl:message name="sayHello"> > <wsdl:part element="tns:sayHello" name="parameters"> > </wsdl:part> > </wsdl:message> > <wsdl:message name="sayHelloResponse"> > <wsdl:part element="tns:sayHelloResponse" name="parameters"> > </wsdl:part> > </wsdl:message> > <wsdl:portType name="Library"> > <wsdl:operation name="sayHello"> > <wsdl:input message="tns:sayHello" name="sayHello"> > </wsdl:input> > <wsdl:output message="tns:sayHelloResponse" name="sayHelloResponse"> > </wsdl:output> > </wsdl:operation> > </wsdl:portType> > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" type="tns:Library"> > <wsp:PolicyReference URI="#SignEncr" xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy"; /> > <soap:binding style="document" transport=" > http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="sayHello"> > <soap:operation soapAction="" style="document" /> > <wsdl:input name="sayHello"> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output name="sayHelloResponse"> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > <wsdl:service name="CXFLibraryImplService"> > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" > name="CXFLibraryImplPort"> > <soap:address location=" > http://localhost:8888/domicilios/services/service2"; /> > </wsdl:port> > </wsdl:service> > <wsp:Policy wsu:Id="SignEncr" xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:RequireThumbprintReference /> > <sp:WssX509V1Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > <wsp:Policy> > <sp:RequireThumbprintReference /> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDesRsa15 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:OnlySignEntireHeadersAndBody /> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > </wsp:Policy> > </sp:Wss10> > <sp:SignedParts xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > </sp:SignedParts> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </wsdl:definitions> > > > And I want to be able to get the certificate in a custom intereceptor to be > able to pass it to spring security session context. > Another thing I want is to be able to override the default behaviour of cxf > trying to validate the certPath, because I want to do this by my own because > certificate aren't in a .jsk keystore but in a database. > > I have read that I need a second interceptor, but how to set an interceptor > and give it lower precedence?? > > Thanks. > > > > -- > Jaime Hablutzel - 9-9956-3299 > > (tildes omitidas intencionalmente) > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
