cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <>
Subject Re: CXF WS-Trust/WS-SecureConversation security policy questions
Date Mon, 14 Oct 2013 20:38:07 GMT
And now that I've had some sleep I'll modify my earlier retraction. 
Metro, at least, does provide a way of doing the server certificate 
distribution in WSDL, but through the WS-Addressing EndpointReference 
rather than through the policy:

The bad news is that it looks like this is based on a non-standard 
called "Web Services Addressing Identity", one of the many WS-* 
technologies that was introduced but has never made it through to become 
widely supported. It looks like this is the proposal:

An OASIS technical committee was set up to handle work in this area, but 
it looks like they haven't actually produced anything:

I don't think CXF supports this particular non-standard, so it's 
irrelevant to Susan's needs, but it is an interesting idea. Clients need 
to have access to the WSDL anyway, so why not include the server 
certificate directly in the WSDL? There are obvious security issues 
involved which mean you wouldn't want to use this approach for 
highly-secure services, but the advantage of configuration-free client 
operation would be significant for services using certificates issued by 
public CAs.

   - Dennis

On 10/15/2013 12:47 AM, Dennis Sosnoski wrote:
> On 10/15/2013 12:24 AM, Dennis Sosnoski wrote:
>> ...That still leaves you distributing server certificates to clients, 
>> but you can always embed these in the policy and have the client load 
>> that from a secure source (note that I haven't tried this with CXF, 
>> but AFAIK it should work).
> Sorry, I don't think there is any way of doing this. When I wrote the 
> original response I thought I'd seen it somewhere, but after looking 
> over the WS-SecurityPolicy specifications I think I was wrong. Too bad 
> - it would be great to have a way to avoid distributing server 
> certificates to clients.
>   - Dennis
>>   - Dennis
>> Dennis M. Sosnoski
>> Java SOA and Web Services Consulting 
>> <>
>> CXF and Web Services Security Training 
>> <>
>> Web Services Jump-Start <>
>> On 10/14/2013 11:46 PM, Susan Liebeskind wrote:
>>> Folks,
>>> Is there a way to write WS-SecurityPolicy for WS-Trust and/or use 
>>> WS-SecureConversation in Apache CXF, such that clients and servers 
>>> using an STS could be configured WITHOUT having to provide the 
>>> server X.509 certificate to the client for message level signing 
>>> purposes?
>>> One possible approach: the client-server shared symmetric key, 
>>> vouched for by an STS, and distributed in the incoming server 
>>> request in a signed SOAP header, could be used to provide signature 
>>> validation for the client when the response comes back from the server.
>>> Alternatively, if there were a way that I could send the server 
>>> certificate back to the client, in a SOAP header signed by the STS, 
>>> that might work. I realize there would be the extra overhead of 
>>> another trip to the STS for the return trip but that might be 
>>> acceptable. This approach, if it exists, would parallel the way that 
>>> the client cert gets sent to the server for the request...but I've 
>>> not been able yet to figure out how to write WS-SecurityPolicy to do 
>>> this, and am not sure if this would work with a .NET client.
>>> The third thought is that I might be trying to re-invent 
>>> WS-SecureConversation here. If WS-SecureConversation can be setup 
>>> such that I don't have to distribute client certs to servers AND 
>>> server certs to clients, that works for me.
>>> ----
>>> My requirements are to use X.509 certificates for authentication and 
>>> apply message level signatures. I will also be using 2 way TLS for 
>>> messages sent between client and server.  Those messages will pass 
>>> through XML appliances between client and server, for XML schema 
>>> validation of the payload. Therefore encryption will be at the 
>>> transport
>>> level, and not at the message level.  If you were to look at the STS 
>>> overview diagram provided in the Redhat JBoss FuseSource 
>>> documentation (, that's basically my 
>>> setup, except I'm not encrypting at the message level.
>>> Again, if there was some way I could avoid having to distribute 
>>> client certs to servers AND server certs to clients, by using such a 
>>> symmetric key, that would be great. But so far,  I don't see a way 
>>> to get the signatures I need without putting server certs into 
>>> client truststores.  To be sure, I am new to WS-Trust, and 
>>> WS-SecureConversation. However, I don't know if my lack of obvious 
>>> solutions is because of my newbie ignorance or because it just 
>>> cannot be done.
>>> ---
>>> I'm looking more for guidance that a solution without manual 
>>> certificate distribution is possible - I don't spend a long time 
>>> trying to do something that isn't going to work.
>>> Thanks in advance to the WS-Security gurus on this list who might be 
>>> able to say "Yes, this is doable" or "No, don't bother trying 
>>> because you cannot make it work" or "Try this instead"
>>> Susan

View raw message