Thank you very much for your help:)
On Mon, Mar 9, 2015 at 3:23 PM, Andrei Shakirin <[email protected]>
wrote:
> Hi Martin,
>
> I don't think it is really good idea to extend business service interface
> with certificate.
> You can extract client certificate used for request signature either in
> interceptor or from your business code using WebServiceContext.
> Code will look like:
>
> List<WSHandlerResult> results =
> CastUtils.cast((List<?>)
> message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS));
> if (results != null) {
> X509Certificate cert = getReqSigCert(results);
> }
>
> private static X509Certificate getReqSigCert(List<WSHandlerResult>
> results) {
> /*
> * Scan the results for a matching actor. Use results only if the
> * receiving Actor and the sending Actor match.
> */
> for (WSHandlerResult rResult : results) {
> List<WSSecurityEngineResult> wsSecEngineResults =
> rResult.getResults();
> /*
> * Scan the results for the first Signature action. Use the
> * certificate of this Signature to set the certificate for the
> * encryption action :-).
> */
> for (WSSecurityEngineResult wser : wsSecEngineResults) {
> Integer actInt =
> (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
> if (actInt.intValue() == WSConstants.SIGN) {
> return
> (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
> }
> }
> }
> return null;
> }
>
> It is copy&paste from
> https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
> .
>
> I would suggest to extract certificate in your own interceptor, just care
> that this interceptor is called after WSS4J in incoming chain.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Martin Nielsen [mailto:[email protected]]
> > Sent: Sonntag, 8. März 2015 00:22
> > To: [email protected]
> > Subject: RE: Alternative key sources using asymmetric security?
> >
> > I want the key or alias passed through to the method body.
> > I have a case where a key infrastructure is already in place, and the
> public key
> > og the sender is used for further evaluation in the backend.
> > If i can get the alias or key for the caller passed to the method on the
> backend,
> > then i can use that key to authenticate the user without the need for
> further
> > user credentials.
> >
> > So i would like something along the lines of:
> > @webservice
> > public interface SEI{
> > public ReturnVal doStuff(String/PublicKey alias, Object inVal) ...
> >
> > Where alias is provided by the CXF runtime, and not visible to the WSDL
> or
> > client..
> > If i have to pick it out of the interceptor chain or something, thats
> fine too, i
> > am not picky.
> >
> > Thanks for the sustained interest:)
> > On 7 Mar 2015 20:34, "Andrei Shakirin" <[email protected]> wrote:
> >
> > > Hi Martin,
> > >
> > > I assume you would like to get client certificate on the service side
> > > to use it for encryption of response, correct?
> > > If yes, I would first of all evaluate using of "useReqSigCert"
> > > constant as value of in "ws-security.encryption.username" property on
> the
> > server side.
> > > In this case service will extract client certificate from request and
> > > use it to encrypt the response. This approach is very convenient on
> > > the server side to encrypt responses for different clients. In this
> > > case you don't need to lookup client certificate on server side at
> > > all, service will get certificate and proceed encryption automatically.
> > > Is this close to your question? If not, please elaborate your use case
> > > a bit more.
> > >
> > > Regards,
> > > Andrei.
> > >
> > > > -----Original Message-----
> > > > From: Martin Nielsen [mailto:[email protected]]
> > > > Sent: Samstag, 7. März 2015 13:32
> > > > To: [email protected]
> > > > Subject: RE: Alternative key sources using asymmetric security?
> > > >
> > > > Great!
> > > >
> > > > I will get right on that..
> > > > As a bonus question, i was wondering, is it possible to make
> > > > either
> > > the calling
> > > > public key or alias (or anything that uniquely identifies the key)
> > > available to the
> > > > method being invoked by CXF when the client calls a service?
> > > > Optimally, i would like it defined as a method parameter, but im
> > > > not
> > > picky.
> > > >
> > > > And thank you :)
> > > > On 6 Mar 2015 18:11, "Andrei Shakirin" <[email protected]> wrote:
> > > >
> > > > > Hi Martin,
> > > > >
> > > > > Yes, for sure. You need to provide own implementation of WSS4J
> > > > > Crypto interface.
> > > > > Btw CXF supports XKMS standard to get public keys as alternative
> > > > > to keystore.
> > > > > You can take this either as example of Crypto implementation:
> > > > > https://github.com/apache/cxf/blob/master/services/xkms/xkms-clien
> > > > > t/sr
> > > > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider
> > > > > .jav
> > > > > a
> > > > >
> > > > > or use XKMS service to manage your certificates:
> > > > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> > > > >
> > > > > Regards,
> > > > > Andrei.
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Martin Nielsen [mailto:[email protected]]
> > > > > > Sent: Freitag, 6. März 2015 10:36
> > > > > > To: [email protected]
> > > > > > Subject: Alternative key sources using asymmetric security?
> > > > > >
> > > > > > Looking at WS-Security asymmetric encryption, i was wondering if
> > > > > > it is
> > > > > possible
> > > > > > in some way to configure CXF to look somewhere else than a java
> > > > > > keystore
> > > > > for
> > > > > > the key information.
> > > > > >
> > > > > > Say that you have a case where you need to add web services to
> > > > > > an
> > > > > application
> > > > > > that already has a public key for all it's users in a database,
> > > > > > for
> > > > > example. Would
> > > > > > it be possible to have CXF look for a public key in the database
> > > > > > instead
> > > > > of a
> > > > > > keystore?
> > > > > >
> > > > > > -Martin
> > > > >
> > >
>
