Re: Binary Security Token for X509 certificates issue

Wed, 04 Oct 2006 23:20:18 -0700 

Hi Pandu,

On 10/4/06, pandu <[EMAIL PROTECTED]> wrote:


Hi,

I developed one webservcie application, where client has to use the x509
secuirty token in the soap message. I created the soap message as per the
WSS Security token x509 certificate profile.
SOAP message is digitally signed using my private key.

Once soap message arrives at the server, I need to do authentication using
Digital certificates. So i tried to get the certificate as follows

NodeList list1 = header.getElementsByTagName("Security");
Element x509Element = (Element) list1.item(0);
XMLSignature xmlSignature = new XMLSignature(x509Element, null);
xmlSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
X509Certificate[] certs = null;
KeyInfo info = xmlSignature.getKeyInfo();
Node node = null;
if (info != null)
     {
        node = WSSecurityUtil.getDirectChild(info.getElement(),
        SecurityTokenReference.SECURITY_TOKEN_REFERENCE,WSSE_SEC_NS_URI);
        if (node == null)
                  {
              throw new
WSSecurityException(WSSecurityException.INVALID_SECURITY,"unsupportedKeyInfo");
          }
        SecurityTokenReference secRef = new SecurityTokenReference((Element) 
node);
      }

  boolean valid = xmlSignature.checkSignatureValue(pkCert);
if (valid)
        System.out.println("Signature is valid.");
else
        System.out.println("Signature is not valid.");
return bret;


First question is how to validate the soap message?
Second question is how to get the Binary Secuirty token value which then
will create X509Certificate(How to create this also from binary security
token) Object?



Please have a look at the SignatureProcessor we use in WSS4J :

https://svn.apache.org/repos/asf/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java



Third is how to do authentication?


To authenticate the user using his/her X.509 cert you will have to
hold the the user's cert information at the service. This simply can
be a keystore with the trusted certs.

Now when you verify signature you can check your trust store at the
service to check whether the signature uses a certificate that you
trust. If you can find a match then you have the user authenticated.

Thanks,
Ruchith

--
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to