Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 882369AF4 for ; Mon, 17 Oct 2011 09:19:45 +0000 (UTC) Received: (qmail 15044 invoked by uid 500); 17 Oct 2011 09:19:41 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 13165 invoked by uid 500); 17 Oct 2011 09:18:56 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 13035 invoked by uid 99); 17 Oct 2011 09:18:44 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Oct 2011 09:18:44 +0000 Received: from localhost (HELO mail-qw0-f41.google.com) (127.0.0.1) (smtp-auth username coheigea, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Oct 2011 09:18:43 +0000 Received: by qadb17 with SMTP id b17so2290551qad.0 for ; Mon, 17 Oct 2011 02:18:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.32.5 with SMTP id a5mr14941724qad.69.1318843122960; Mon, 17 Oct 2011 02:18:42 -0700 (PDT) Reply-To: coheigea@apache.org Received: by 10.224.10.196 with HTTP; Mon, 17 Oct 2011 02:18:42 -0700 (PDT) In-Reply-To: <1318630433166-4904085.post@n5.nabble.com> References: <1318628012468-4903991.post@n5.nabble.com> <1318630433166-4904085.post@n5.nabble.com> Date: Mon, 17 Oct 2011 10:18:42 +0100 Message-ID: Subject: Re: CXF interceptors - dynamic usage? From: Colm O hEigeartaigh To: users@cxf.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable > I'm reading about "useReqSigCert" - is this something that will help me? > It will encrypt with the same cert as the one used in the signature, but = to > read the signature - doesn't my app need to know what certificate to use? No, as to verify a signature you only need to be in possession of some trusted issuer of the cert associated with the signature. So if you have a server application and lots of different clients, ideally your server application will have a few trusted certs in its truststore to use to verify digital signatures. You can then use "useReqSigCert" to encrypt the response using the same cert as was used to verify the signature. Colm. On Fri, Oct 14, 2011 at 11:13 PM, nkunkov wrote: > I think i have to clarify my message a bit. > > My application will be both a web service client and a web service server= . > > I implemented web service security using the interceptors and it works wh= en > my application is a client. =A0Since it knows where it sends the request = it > can give the interceptor an alias for the keystore and the right certific= ate > will be used for encryption. > > But i'm struggling to implement security when my application is a server. > The requests will be coming in from different clients. I need a way to > identify each client to pass the interceptor the alias name so it can get > the right certificate. =A0Or is there a way to do this seamlessly? > > I'm reading about "useReqSigCert" =A0- is this something that will help m= e? > It will encrypt with the same cert as the one used in the signature, but = to > read the signature - doesn't my app need to know what certificate to use? > > I may not be understanding the security and the CXF very well so bear wit= h > me... > Any help will be appreciated... > > Thank you, > > -- > View this message in context: http://cxf.547215.n5.nabble.com/CXF-interce= ptors-dynamic-usage-tp4903991p4904085.html > Sent from the cxf-user mailing list archive at Nabble.com. > --=20 Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com/apache