Documentation for direct-reference mode of message signing
----------------------------------------------------------
Key: WSS-15
URL: http://issues.apache.org/jira/browse/WSS-15
Project: WSS4J
Type: Improvement
Environment: WSS4J 1.0.0
Reporter: Guy Rixon
Assigned to: Davanum Srinivas
The WSS4J web-site lacks instructions on how to select the direct-reference
mode of message signature (in which the sender's certificate is included in the
message). In fact, there's no documentation on the signature modes at all. I
append an xdoc outlining the issuer-serial (WSS4J default) and direct-reference
modes and explaining how to select them.
<?xml version="1.0"?>
<document>
<properties>
<author email="[EMAIL PROTECTED]">Guy Rixon</author>
<title>Including the sender's certificate in the signed
message</title>
</properties>
<body>
<section name="Including the sender's certificate in the signed
message">
<p>
When messages are digitally signed, the
recipient must have the sender's
certificate chain in order to check the
signature. Typically, the chain has
two certificates: that of the sender and that
of the sender's certificate
authority (CA).
</p>
<p>
There are two common ways of getting the
certificates to the service.
</p>
<ol>
<li>
Install the CA's certificate in the
service configuration. Send the caller's
individual certificate with the signed
message. This is called "direct reference",
since the signature mark-up in the SOAP
header refers directly to an included
credential.
</li>
<li>
Install both the CA certificate and the
caller's individual certificate in the
service configuration. Send the CA's
name and the serial number of the caller's
certificate in the SOAP message; have
the service retrieve its copy of the certificate
using these metadata. This is called
the "issuer-serial" method.
</li>
</ol>
<p>
The issuer-serial method presumes that all
trusted users of the service are known to the
service and have pre-registered
their certificate chains before using the
service. The direct-reference method presumes
that the service operator trusts all users with
certificates issued by a trusted CA.
</p>
<p>
To use the direct-reference method when using
WSDoAllSender to sign the messages, the client must
set a handler property as follows.
</p>
<pre>
stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
</pre>
<p>
To use the issuer-serial method, the property
should be set like this:
</p>
<pre>
stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
</pre>
<p>
If the property is not set, the default in
WSS4J is to use the issuer-serial method.
</p>
</section>
</body>
</document>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
