cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Liebeskind <>
Subject Migrating WS-Security JAX-WS service from Metro to CXF - Metro wss SubjectAccessor class equivalent in CXF
Date Wed, 24 Aug 2016 19:41:57 GMT
I need to migrate a SOAP-WS web service hosted on the Metro web service 
stack, version to Apache CXF 3.1.6. I'm trying to determine 
where some of the facilities I've used in Metro for WS-Security using 
X509 certs have equivalents in Apache CXF and so far, I'm coming up short.


We sign our outgoing client packets with an X.509 cert, and the server 
on the other end validates that signature, thanks to the WS-Security 
libraries in the web service runtime. I have a requirement to audit the 
CN of the certificate used to sign the incoming request which means I 
need to pull that out in the application itself.

With Metro I was able to get the CN out this way

In the class annotated with @WebService(endpointInterface=foo)
I had an instance variable annotated like this

private WebServiceContext wsContext;

in my application code, I ended up doing this, at the high level

import com.sun.xml.wss.SubjectAccessor;
//from webservices-rt-2.2.1-1.jar
        Subject subj = 
        Set<X509Certificate> creds  = s 

        // am able to make some assumptions about which cred in the set 
is the signing one

Alas...I'm not seeing anything as straightforward as the SubjectAccessor 
class in Apache CXF thus far.

Went  to my usual go-to place, the totally awesome Glen Mazza web 
service blog, and seeing this   Of course, 
that entry is almost 4 years old and things might well have changed for 
Apache CXF 3.1.6. In any case, it doesn't look quite as easy as the 
SubjectAccessor class

I've checked out the CXF git rep and am wandering through the systests 
to see if I can find the example that will show me how best to do this.  
If there is an easy way to have the web service retrieve the CN of the 
signing certificate used in the Web service client, I'd be grateful if 
someone could point me in the general direction.



I will be hosting this service on a RHEL7 host/Tomcat7/Java 8, and I can 
modify the WSDL to have different WS-SecurityPolicy statements in it, if 
need be.
Using Guice 3.0 as our dependency injection framework and really don't 
want to bring Spring in if I don't have to.

Thanks in advance.


View raw message