cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cole Ferrier <>
Subject Question about x509 certificates
Date Wed, 02 Dec 2009 23:36:11 GMT
I've done some basic testing and setup with x509 certificates, but i have a
few requirements that i'm trying to figure out how i could implement.

1) I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me.
I have a service available that i can go and get all the public keys  for
anyone, but i want to do that on demand, so that i don't have to maintain a
local key store. How could one go about doing this?

2) Then of course i need to check a revocation list, so i'm assuming i could
just use an interceptor to go and check that? or??

3) then the question comes to authorization, (since i've already done the
above to validate that i know who they are.. ) Should this be done in a
separate interceptor? I am talking i want to authorize at the per service
layer or operation, not at the whole application..
 How early should i try to do this.. i think i was able to get what the user
is doing on what interface
and who the user is:
//ignore the ugly code
        Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
        WSSecurityEngineResult r = (WSSecurityEngineResult)
((WSHandlerResult) v.get(0)).getResults().get(0);
        WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)

then i could take the user and what they are doing and validate that they
are authorized for that operation.

Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
this the right place for that?

If anyone has had to do anything like this and has sample code, i'd
appreciate it.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message