cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <>
Subject Re: Can CXF encrypt the soap:header and soap:body with different keys?
Date Tue, 09 Sep 2008 15:49:05 GMT
Glen I think it's going to depend a lot on how your nodes are  
architected.  For example, if your intermediate is not co-located with  
your target, but it needs access to the encrypted payload for any  
reason (for example, just to make it far enough through the CXF  
interceptor chain), then you are going to be up the creek without the  
private key needed to decrypt the message.  Questions like this have  
been coming up a lot in the WSS4J list, and my first inclination is to  
steer the user away from Axis or CXF for their intermediates, and  
instead use something like Camel, which would allow you to process  
only the parts of the message you care about.

If your intermediate and target entities are essentially co-located,  
then you could probably chain the WSS4JInInterceptors in the way you  
suggest, though I haven't done this myself.  I have chained calls to  
the low-level WSS4J APIs, though, and I'm fairly certain that works,  
though you'd need to split your wss:Security headers using distinct  
actor attributes, so that WSS4J will process only the headers targeted  
for a specific entity.


On Sep 8, 2008, at 6:23 PM, Glen Mazza wrote:

> Hello, I'm not sure how important a use case this is, but does CXF  
> have the
> ability to encrypt the soap:header differently from the soap:body?   
> Perhaps
> a typical example might be accessing bank account information--an
> intermediary node (with its own private key) could be used to check  
> the SAML
> or other security token specified in the soap:header while the  
> business
> service (with a different private key) could decrypt the actual bank  
> account
> information in the soap:body.  In this case, the client would need to
> encrypt the soap:header and soap:body with different public keys for  
> this
> system to work.
> I would guess a way to implement this would be to configure two
> WSS4JOutInterceptors[1], specifying different encryptionParts (one for
> header, one for body)--would that be workable?  If necessary, I can  
> add a
> JIRA enhancement request for this.
> I think I'll ask the same question on the Metro list for this.
> Regards,
> Glen
> [1]
> (Step 5, substep 1)
> -- 
> View this message in context:
> Sent from the cxf-dev mailing list archive at

View raw message