Thanks for your answer. I understand how I can change security properties in an interceptor. The problem is: how do I know when to change these properties?
When I send a soap message, I know which security settings should be used. But how do I attach these security settings to a soap message such that they can be read by an interceptor and can use them? - Ed > -----Original Message----- > From: Andrei Shakirin [mailto:ashaki...@talend.com] > Sent: woensdag 12 december 2012 18:10 > To: users@cxf.apache.org > Cc: z...@debrasjes.com > Subject: RE: How to use ws-security info per sending soap message in CXF? > > Hi, > > a) jaxws client > 1) You can set message property: > SecurityConstants.ENCRYPT_PROPERTIES and dynamically update property file > location: > message. put(SecurityConstants.ENCRYPT_PROPERTIES, <new property location>); > WSS4J will automatically use these properties. > > It is possible to do it either in custom interceptor (should be called before > WSS4JOutInterceptor) or in client logic via: > ((BindingProvider)proxy).getRequestContext().put(SecurityConstants.ENCRYPT_P RO > PERTIES, <new property location>). > > Cons of this solution: you are still restricted to use keystore.properties > file. > > 2) More generic solution is implement own CryptoProvider (implements wss4j > CryptoBase interface) and set this implementation in > SecurityConstants.ENCRYPT_CRYPTO message property. In provider implementation > you can get certificates and private keys whatever you want: from keystore, > remotely from service, etc. > > b) http conduit > TLS parameters can be also configured programmatically: > Client c = ClientProxy.getClient(port); > HTTPConduit conduit = (HTTPConduit) c.getConduit(); TLSClientParameters > tlsParams = new TLSClientParameters(); ... > conduit.setTlsClientParameters(tlsParams); > > see http://blog.progs.be/71/cxf-simple-frontend-allow-all-ssl-certificates- > and-set-basic-authentication-credentials for details. > > I hope this can help. > > Cheers, > Andrei. > > > -----Original Message----- > > From: Ed Bras [mailto:z...@debrasjes.com] > > Sent: Mittwoch, 12. Dezember 2012 15:16 > > To: users@cxf.apache.org > > Subject: How to use ws-security info per sending soap message in CXF? > > > > Please some advice on the following requirement: > > I like to be able to dynamically change/set the ws-security info per > > sending soap message in cxf. How can this best be done. > > > > Details: I want to change settings like keystore name, keystore alias, > > password, host name, etc.. during runtime, preferable per sending message. > > > > Currently I am using: jaxws client with WSS4JOutInterceptor and > > WSS4JInInterceptor interceptor for signing. And I am using http > > conduit with tls client parameters for SSL/TLS communications. Both > > the jaxws client and http conduit are configured in spring and have > > their configuration like keystore name, alias and password set in the Spring > config. > > > > I see options: > > 1) I change these settings during runtime through a global property. > > 2) I change these settings per sending message (preferable). > > > > 2) Is preferable but most difficult I think. How should I do this? > > > > I was thinking about: > > a) jaxws client: make my own in- and out interceptor that intercepts a > > message and use the correct (cached) WSS4JOutInterceptor interceptor > > depending on the security settings that that message requires. If the > > WSS4JOutInterceptor interceptor doesn't exists in cache, it's created > > (I probably have max 5 WSS4JOutInterceptor instances cached). > > However, how can I determine which settings are required in my > > interceptor as that is known in an other part of the app when talking > > to the @Webservice proxy to create and send the soap > > request/message... Maybe I could be able to add some kind of > > securityInfo object to the soap message through the JaxWsClientProxy, > > but how ?... Or maybe I can set the interceptors when sending/creating the > soap message when this security info is still know. > > This will then be a light weight interceptor containing the required > > settings, linking to the cached interceptors, that is selected > > depending on the settings... > > > > b) http conduit: using a ConduitSelector (never used it but will find > > out), such that I am able to select the correct http conduit, but I > > have the same problem as in (a): "How to determine which settings I > > should use" as they are known when creating/sending a soap message and the > interceptors are set later... > > Probably I have to set an conduit selector per sending message.. > > > > Please some advice? > > - Ed
