cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <f...@dushin.net>
Subject Re: WS-Signature with server encryption
Date Sat, 15 Dec 2007 20:54:53 GMT
To my knowledge, there isn't, no, and this is a very compelling use  
case.

I'd suggest doing this programatically through a collection of  
interceptors, one which places the client's public key on the  
Exchange after the inbound interceptor has consumed the message, and  
another that programatically configures the OutInterceptor on the  
outbound response interceptor chain, using the key you've placed on  
the exchange.

The wrinkle in all of this is that CXF uses WSS4J, which IMO is  
pretty limited in its ability to configure keys.  Worse, CXF uses the  
WSS4J Handler architecture, which makes invalid assumptions about  
keys are retrieved.

So I guess I'm saying I don't know how feasible my proposal is, but  
it's the avenue of investigation I'd start with, if I were to do what  
you are trying to do.  (And I've considered it as a possibility)

Hope that helps more than it discourages you!
-Fred

On Dec 15, 2007, at 11:57 AM, Olivier OTTAVI wrote:

> Hi,
>
>  I have a server with WS-Security enabled on WSS4J, in order to handle
> signature and encryption of the soap message.
>
>  The client encrypt the soap message with server public key, and  
> sign it
> with its private key. The server validate signature with public  
> client key
> and decrypt it with its private key.
>
>  Then the response is sent to the client - signed by the private  
> server key
> and encrypted with the client public key.
>
>  It works well, but the only thing that bother me, is that the server
> encryption has to be done by setting up the "encryption user"  
> property with
> the client name. Since this name is changing for each request, I  
> don't know
> where to put this information. I would like to have the public key  
> of the
> client that signed the request directly used to encrypt the  
> response, is
> there a simple way to achieve this behavior ?
>
> Thanks


Mime
View raw message