cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <>
Subject Re: WS-Signature with server encryption
Date Sun, 16 Dec 2007 04:12:24 GMT
How about if you submit a patch then?

On Dec 15, 2007, at 7:37 PM, Olivier OTTAVI wrote:

> This is pretty bad, because it is a common scenario in mutual  
> authentication
> - the fact is also that this feature is integreted by the WSS4J  
> library but
> only for the Axis version ( and is handled  
> properely
> with the handleSpecialUser of the WSHandler class , nothing has  
> been done
> inside of CXF to do integration with this feature. There is a lack of
> support and integration here between CXF and WSS4J, on the specific  
> feature
> useReqSigCert which is in my opinion very sensitive. This should  
> again in my
> opinion clearly appear on the wiki, to avoid misschoice between  
> open source
> webservice stacks for potential users.
> On 12/15/07, Fred Dushin <> wrote:
>> To my knowledge, there isn't, no, and this is a very compelling use
>> case.
>> I'd suggest doing this programatically through a collection of
>> interceptors, one which places the client's public key on the
>> Exchange after the inbound interceptor has consumed the message, and
>> another that programatically configures the OutInterceptor on the
>> outbound response interceptor chain, using the key you've placed on
>> the exchange.
>> The wrinkle in all of this is that CXF uses WSS4J, which IMO is
>> pretty limited in its ability to configure keys.  Worse, CXF uses the
>> WSS4J Handler architecture, which makes invalid assumptions about
>> keys are retrieved.
>> So I guess I'm saying I don't know how feasible my proposal is, but
>> it's the avenue of investigation I'd start with, if I were to do what
>> you are trying to do.  (And I've considered it as a possibility)
>> Hope that helps more than it discourages you!
>> -Fred
>> On Dec 15, 2007, at 11:57 AM, Olivier OTTAVI wrote:
>>> Hi,
>>>  I have a server with WS-Security enabled on WSS4J, in order to  
>>> handle
>>> signature and encryption of the soap message.
>>>  The client encrypt the soap message with server public key, and
>>> sign it
>>> with its private key. The server validate signature with public
>>> client key
>>> and decrypt it with its private key.
>>>  Then the response is sent to the client - signed by the private
>>> server key
>>> and encrypted with the client public key.
>>>  It works well, but the only thing that bother me, is that the  
>>> server
>>> encryption has to be done by setting up the "encryption user"
>>> property with
>>> the client name. Since this name is changing for each request, I
>>> don't know
>>> where to put this information. I would like to have the public key
>>> of the
>>> client that signed the request directly used to encrypt the
>>> response, is
>>> there a simple way to achieve this behavior ?
>>> Thanks

View raw message