You can get the signing certificate via the WSS4J result set which is stored on the CXF Message Context after WS-Security processing. There is an example in a unit tests here in the cxf-rt-ws-security module:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java;h=31debf3c2081841b9c0ae5b400a6b8b2dba388f8;hb=HEAD See the "getResults" method on line 482. It gets a List<WSHandlerResult> Object from the message context. Signing client certificates are then extracted from this in some of the tests, e.g.: WSSecurityEngineResult actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0); X509Certificate[] certificates = (X509Certificate[]) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); You can get the message context by adding a @Resource WebServiceContext context; to your implementation, and then get the message context from this via context.getMessageContext(). Colm. On Wed, Aug 24, 2016 at 8:41 PM, Susan Liebeskind < [email protected]> wrote: > I need to migrate a SOAP-WS web service hosted on the Metro web service > stack, version 2.2.1.1 to Apache CXF 3.1.6. I'm trying to determine where > some of the facilities I've used in Metro for WS-Security using X509 certs > have equivalents in Apache CXF and so far, I'm coming up short. > > Specifics: > > We sign our outgoing client packets with an X.509 cert, and the server on > the other end validates that signature, thanks to the WS-Security libraries > in the web service runtime. I have a requirement to audit the CN of the > certificate used to sign the incoming request which means I need to pull > that out in the application itself. > > ------------------------------- > With Metro I was able to get the CN out this way > > In the class annotated with @WebService(endpointInterface=foo) > I had an instance variable annotated like this > > @Resource > private WebServiceContext wsContext; > > in my application code, I ended up doing this, at the high level > > import com.sun.xml.wss.SubjectAccessor; > //from webservices-rt-2.2.1-1.jar > ... > Subject subj = SubjectAccessor.getRequesterSu > bject(wsContext.getMessageContext()); > ... > Set<X509Certificate> creds = s ubj.getPublicCredentials(java. > security.cert.X509Certificate.class); > > // am able to make some assumptions about which cred in the set is > the signing one > --------------- > > Alas...I'm not seeing anything as straightforward as the SubjectAccessor > class in Apache CXF thus far. > > Went to my usual go-to place, the totally awesome Glen Mazza web service > blog, and seeing this https://web-gmazza.rhcloud.com > /blog/entry/cxf-x509-profile. Of course, that entry is almost 4 years > old and things might well have changed for Apache CXF 3.1.6. In any case, > it doesn't look quite as easy as the SubjectAccessor class > > I've checked out the CXF git rep and am wandering through the systests to > see if I can find the example that will show me how best to do this. If > there is an easy way to have the web service retrieve the CN of the signing > certificate used in the Web service client, I'd be grateful if someone > could point me in the general direction. > > ======== > > Platform: > > I will be hosting this service on a RHEL7 host/Tomcat7/Java 8, and I can > modify the WSDL to have different WS-SecurityPolicy statements in it, if > need be. > Using Guice 3.0 as our dependency injection framework and really don't > want to bring Spring in if I don't have to. > > Thanks in advance. > > SL > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
