cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olivier OTTAVI" <olivier.ott...@gmail.com>
Subject Re: WS-Signature with server encryption
Date Sun, 16 Dec 2007 00:37:18 GMT
This is pretty bad, because it is a common scenario in mutual authentication
- the fact is also that this feature is integreted by the WSS4J library but
only for the Axis version (WSDoAllReceiver.java) and is handled properely
with the handleSpecialUser of the WSHandler class , nothing has been done
inside of CXF to do integration with this feature. There is a lack of
support and integration here between CXF and WSS4J, on the specific feature
useReqSigCert which is in my opinion very sensitive. This should again in my
opinion clearly appear on the wiki, to avoid misschoice between open source
webservice stacks for potential users.

On 12/15/07, Fred Dushin <fred@dushin.net> wrote:
>
> To my knowledge, there isn't, no, and this is a very compelling use
> case.
>
> I'd suggest doing this programatically through a collection of
> interceptors, one which places the client's public key on the
> Exchange after the inbound interceptor has consumed the message, and
> another that programatically configures the OutInterceptor on the
> outbound response interceptor chain, using the key you've placed on
> the exchange.
>
> The wrinkle in all of this is that CXF uses WSS4J, which IMO is
> pretty limited in its ability to configure keys.  Worse, CXF uses the
> WSS4J Handler architecture, which makes invalid assumptions about
> keys are retrieved.
>
> So I guess I'm saying I don't know how feasible my proposal is, but
> it's the avenue of investigation I'd start with, if I were to do what
> you are trying to do.  (And I've considered it as a possibility)
>
> Hope that helps more than it discourages you!
> -Fred
>
> On Dec 15, 2007, at 11:57 AM, Olivier OTTAVI wrote:
>
> > Hi,
> >
> >  I have a server with WS-Security enabled on WSS4J, in order to handle
> > signature and encryption of the soap message.
> >
> >  The client encrypt the soap message with server public key, and
> > sign it
> > with its private key. The server validate signature with public
> > client key
> > and decrypt it with its private key.
> >
> >  Then the response is sent to the client - signed by the private
> > server key
> > and encrypted with the client public key.
> >
> >  It works well, but the only thing that bother me, is that the server
> > encryption has to be done by setting up the "encryption user"
> > property with
> > the client name. Since this name is changing for each request, I
> > don't know
> > where to put this information. I would like to have the public key
> > of the
> > client that signed the request directly used to encrypt the
> > response, is
> > there a simple way to achieve this behavior ?
> >
> > Thanks
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message