Hi Martin,
I don't think it is really good idea to extend business service interface with
certificate.
You can extract client certificate used for request signature either in
interceptor or from your business code using WebServiceContext.
Code will look like:
List<WSHandlerResult> results =
CastUtils.cast((List<?>)
message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
X509Certificate cert = getReqSigCert(results);
}
private static X509Certificate getReqSigCert(List<WSHandlerResult> results)
{
/*
* Scan the results for a matching actor. Use results only if the
* receiving Actor and the sending Actor match.
*/
for (WSHandlerResult rResult : results) {
List<WSSecurityEngineResult> wsSecEngineResults =
rResult.getResults();
/*
* Scan the results for the first Signature action. Use the
* certificate of this Signature to set the certificate for the
* encryption action :-).
*/
for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SIGN) {
return
(X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
}
}
}
return null;
}
It is copy&paste from
https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java.
I would suggest to extract certificate in your own interceptor, just care that
this interceptor is called after WSS4J in incoming chain.
Regards,
Andrei.
> -----Original Message-----
> From: Martin Nielsen [mailto:[email protected]]
> Sent: Sonntag, 8. März 2015 00:22
> To: [email protected]
> Subject: RE: Alternative key sources using asymmetric security?
>
> I want the key or alias passed through to the method body.
> I have a case where a key infrastructure is already in place, and the public
> key
> og the sender is used for further evaluation in the backend.
> If i can get the alias or key for the caller passed to the method on the
> backend,
> then i can use that key to authenticate the user without the need for further
> user credentials.
>
> So i would like something along the lines of:
> @webservice
> public interface SEI{
> public ReturnVal doStuff(String/PublicKey alias, Object inVal) ...
>
> Where alias is provided by the CXF runtime, and not visible to the WSDL or
> client..
> If i have to pick it out of the interceptor chain or something, thats fine
> too, i
> am not picky.
>
> Thanks for the sustained interest:)
> On 7 Mar 2015 20:34, "Andrei Shakirin" <[email protected]> wrote:
>
> > Hi Martin,
> >
> > I assume you would like to get client certificate on the service side
> > to use it for encryption of response, correct?
> > If yes, I would first of all evaluate using of "useReqSigCert"
> > constant as value of in "ws-security.encryption.username" property on the
> server side.
> > In this case service will extract client certificate from request and
> > use it to encrypt the response. This approach is very convenient on
> > the server side to encrypt responses for different clients. In this
> > case you don't need to lookup client certificate on server side at
> > all, service will get certificate and proceed encryption automatically.
> > Is this close to your question? If not, please elaborate your use case
> > a bit more.
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Martin Nielsen [mailto:[email protected]]
> > > Sent: Samstag, 7. März 2015 13:32
> > > To: [email protected]
> > > Subject: RE: Alternative key sources using asymmetric security?
> > >
> > > Great!
> > >
> > > I will get right on that..
> > > As a bonus question, i was wondering, is it possible to make
> > > either
> > the calling
> > > public key or alias (or anything that uniquely identifies the key)
> > available to the
> > > method being invoked by CXF when the client calls a service?
> > > Optimally, i would like it defined as a method parameter, but im
> > > not
> > picky.
> > >
> > > And thank you :)
> > > On 6 Mar 2015 18:11, "Andrei Shakirin" <[email protected]> wrote:
> > >
> > > > Hi Martin,
> > > >
> > > > Yes, for sure. You need to provide own implementation of WSS4J
> > > > Crypto interface.
> > > > Btw CXF supports XKMS standard to get public keys as alternative
> > > > to keystore.
> > > > You can take this either as example of Crypto implementation:
> > > > https://github.com/apache/cxf/blob/master/services/xkms/xkms-clien
> > > > t/sr
> > > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider
> > > > .jav
> > > > a
> > > >
> > > > or use XKMS service to manage your certificates:
> > > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> > > >
> > > > Regards,
> > > > Andrei.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Martin Nielsen [mailto:[email protected]]
> > > > > Sent: Freitag, 6. März 2015 10:36
> > > > > To: [email protected]
> > > > > Subject: Alternative key sources using asymmetric security?
> > > > >
> > > > > Looking at WS-Security asymmetric encryption, i was wondering if
> > > > > it is
> > > > possible
> > > > > in some way to configure CXF to look somewhere else than a java
> > > > > keystore
> > > > for
> > > > > the key information.
> > > > >
> > > > > Say that you have a case where you need to add web services to
> > > > > an
> > > > application
> > > > > that already has a public key for all it's users in a database,
> > > > > for
> > > > example. Would
> > > > > it be possible to have CXF look for a public key in the database
> > > > > instead
> > > > of a
> > > > > keystore?
> > > > >
> > > > > -Martin
> > > >
> >
