cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cole Ferrier <c...@coleferrier.com>
Subject Question about x509 certificates
Date Wed, 02 Dec 2009 23:36:11 GMT
I've done some basic testing and setup with x509 certificates, but i have a
few requirements that i'm trying to figure out how i could implement.

1) I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me.
I have a service available that i can go and get all the public keys  for
anyone, but i want to do that on demand, so that i don't have to maintain a
local key store. How could one go about doing this?

2) Then of course i need to check a revocation list, so i'm assuming i could
just use an interceptor to go and check that? or??

3) then the question comes to authorization, (since i've already done the
above to validate that i know who they are.. ) Should this be done in a
separate interceptor? I am talking i want to authorize at the per service
layer or operation, not at the whole application..
 How early should i try to do this.. i think i was able to get what the user
is doing on what interface
message.get(Message.WSDL_OPERATION)
message.get(Message.WSDL_INTERFACE)
and who the user is:
//ignore the ugly code
        Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
        WSSecurityEngineResult r = (WSSecurityEngineResult)
((WSHandlerResult) v.get(0)).getResults().get(0);
        WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
r.get(WSSecurityEngineResult.TAG_PRINCIPAL);

then i could take the user and what they are doing and validate that they
are authorized for that operation.

Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
this the right place for that?


If anyone has had to do anything like this and has sample code, i'd
appreciate it.

Cole

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message