axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yueyue <wy...@mailbox.gxnu.edu.cn>
Subject Re: [Axis2] rampart encryption and multiple clients
Date Thu, 20 Dec 2007 00:29:31 GMT

thanks very much, Nunny. i understand what  you mean  .:handshake:

Nunny wrote:
> 
> Hi  yueyue,
> 
> i have a question : if the certificate is  in the key store ,how do the
>> server  know  a client user is who  ?
> 
> 
> There are number of key referencing mechanisms defined in WSS and
> WS - security policy specifications. You can use  a  Subject  key
> identifier,
> issuer serial, Thumbprint key identifier etc. These information are
> unique,
> so we can get the referenced certificate from the key store using these
> references.
> 
> eg.
> 
> Key referenced using a subject key identifier reference :
> 
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>       <o:SecurityTokenReference>
>              <o:KeyIdentifier ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
> ">Xeg55vRyK3ZhAEhEf+YT0z986L0=</o:KeyIdentifier>
>       </o:SecurityTokenReference>
> </KeyInfo>
> 
> Key referenced using a thumbprint reference :
> 
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>      <o:SecurityTokenReference>
>            <o:KeyIdentifier ValueType="
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-security-1.1#ThumbprintSHA1
> ">NQM0IBvuplAtETQvk+6gn8C13wE=</o:KeyIdentifier>
>            </o:SecurityTokenReference>
> </KeyInfo>
> 
> Thanks,
> Nandana
> 
> 
>>
>> Regards,
>>
>> yueyue
>>
>>
>> Nunny wrote:
>> >
>> > Hi Kent,
>> >
>> > This won't
>> >
>> >> work if the client
>> >> is unknown (being unknown is fine as long as the certificate can be
>> >> verified
>> >> by a trusted CA). Is rampart designed to be used for known/fixed
>> clients
>> >> only?
>> >
>> >
>> > No, Rampart can be used in this kind of scenario. You have to set the
>> > encryption user as
>> >
>> > <encryptionUser>useReqSigCert</encryptionUser>.
>> >
>> > Then the certificate used to sign the request message will be used to
>> > encrypt the response message.
>> > If the certificate is not in the key store it has to be sent with the
>> > request as a binary token (according
>> > token inclusion property of the security token defined in the security
>> > policy).
>> >
>> > Regards,
>> > Nandana
>> >
>> >
>> >
>> >>
>> >> Thanks!
>> >>
>> >> -----
>> >> --
>> >> Kent Tong
>> >> Wicket tutorials freely available at http://www.agileskills2.org/EWDW
>> >> --
>> >> View this message in context:
>> >>
>> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14289084.html
>> >> Sent from the Axis - User mailing list archive at Nabble.com.
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: axis-user-help@ws.apache.org
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14409381.html
>> Sent from the Axis - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/-Axis2--rampart-encryption-and-multiple-clients-tp14289084p14428302.html
Sent from the Axis - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message