cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Shakirin <ashaki...@talend.com>
Subject RE: How to use ws-security info per sending soap message in CXF?
Date Thu, 13 Dec 2012 12:08:59 GMT
Hi Ed,

As I already wrote, you don't even need the interceptor to change the properties.
You can do it in your client by sending message:

AddNumbers port = (AddNumbers)service.getPort(portName, AddNumbers.class); ((BindingProvider)port).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
<new property location>).

Although, If you would like to do it in interceptor, you can pass necessary information with
message properties using the same technic.

The most standard and recommended way to control security in CXF is using WS-Policy.
You also can apply it dynamically at the runtime. If this way is interesting for you, I can
provide further information how to set WS-Policy dynamically.

Cheers,
Andrei.

> -----Original Message-----
> From: Ed Bras [mailto:zooi@debrasjes.com]
> Sent: Donnerstag, 13. Dezember 2012 10:31
> To: users@cxf.apache.org
> Subject: RE: How to use ws-security info per sending soap message in CXF?
> 
> Thanks for your answer.
> I understand how I can change security properties in an interceptor.
> The problem is: how do I know when to change these properties?
> 
> When I send a soap message, I know which security settings should be used.
> But how do I attach these security settings to a soap message such that they
> can be read by an interceptor and can use them?
> 
> - Ed
> 
> > -----Original Message-----
> > From: Andrei Shakirin [mailto:ashakirin@talend.com]
> > Sent: woensdag 12 december 2012 18:10
> > To: users@cxf.apache.org
> > Cc: zooi@debrasjes.com
> > Subject: RE: How to use ws-security info per sending soap message in CXF?
> >
> > Hi,
> >
> > a) jaxws client
> > 1) You can set message property:
> > SecurityConstants.ENCRYPT_PROPERTIES and dynamically update property
> > file
> > location:
> > message. put(SecurityConstants.ENCRYPT_PROPERTIES, <new property
> location>);
> > WSS4J will automatically use these properties.
> >
> > It is possible to do it either in custom interceptor (should be called
> before
> > WSS4JOutInterceptor) or in client logic via:
> >
> ((BindingProvider)proxy).getRequestContext().put(SecurityConstants.ENCRY
> PT_P
> RO
> > PERTIES, <new property location>).
> >
> > Cons of this solution: you are still restricted to use
> > keystore.properties file.
> >
> > 2) More generic solution is implement own CryptoProvider (implements
> > wss4j CryptoBase interface) and set this implementation in
> > SecurityConstants.ENCRYPT_CRYPTO message property. In provider
> implementation
> > you can get certificates and private keys whatever you want: from
> keystore,
> > remotely from service, etc.
> >
> > b) http conduit
> > TLS parameters can be also configured programmatically:
> > Client c = ClientProxy.getClient(port); HTTPConduit conduit =
> > (HTTPConduit) c.getConduit(); TLSClientParameters tlsParams = new
> > TLSClientParameters(); ...
> > conduit.setTlsClientParameters(tlsParams);
> >
> > see
> http://blog.progs.be/71/cxf-simple-frontend-allow-all-ssl-certificates-
> > and-set-basic-authentication-credentials for details.
> >
> > I hope this can help.
> >
> > Cheers,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Ed Bras [mailto:zooi@debrasjes.com]
> > > Sent: Mittwoch, 12. Dezember 2012 15:16
> > > To: users@cxf.apache.org
> > > Subject: How to use ws-security info per sending soap message in CXF?
> > >
> > > Please some advice on the following requirement:
> > > I like to be able to dynamically change/set the ws-security info per
> > > sending soap message in cxf. How can this best be done.
> > >
> > > Details: I want to change settings like keystore name, keystore
> > > alias, password, host name, etc.. during runtime, preferable per
> > > sending
> message.
> > >
> > > Currently I am using: jaxws client with WSS4JOutInterceptor and
> > > WSS4JInInterceptor interceptor for signing. And I am using http
> > > conduit with tls client parameters for SSL/TLS communications. Both
> > > the jaxws client and http conduit are configured in spring and have
> > > their configuration like keystore name, alias and password set in
> > > the
> Spring
> > config.
> > >
> > > I see options:
> > > 1) I change these settings during runtime through a global property.
> > > 2) I change these settings per sending message (preferable).
> > >
> > > 2) Is preferable but most difficult I think. How should I do this?
> > >
> > > I was thinking about:
> > > a) jaxws client: make my own in- and out interceptor that intercepts
> > > a message and use the correct (cached) WSS4JOutInterceptor
> > > interceptor depending on the security settings that that message
> > > requires. If the WSS4JOutInterceptor interceptor doesn't exists in
> > > cache, it's created (I probably have max 5 WSS4JOutInterceptor instances
> cached).
> > > However, how can I determine which settings are required in my
> > > interceptor as that is known in an other part of the app when
> > > talking to the @Webservice proxy to create and send the soap
> > > request/message... Maybe I could be able to add some kind of
> > > securityInfo object to the soap message through the
> > > JaxWsClientProxy, but how ?... Or maybe I can set the interceptors
> > > when sending/creating
> the
> > soap message when this security info is still know.
> > > This will then be a light weight interceptor containing the required
> > > settings, linking to the cached interceptors, that is selected
> > > depending on the settings...
> > >
> > > b) http conduit: using a ConduitSelector (never used it but will
> > > find out), such that I am able to select the correct http conduit,
> > > but I have the same problem as in (a): "How to determine which
> > > settings I should use" as they are known when creating/sending a
> > > soap message and
> the
> > interceptors are set later...
> > > Probably I have to set an conduit selector per sending message..
> > >
> > > Please some advice?
> > > - Ed
> 


Mime
View raw message