You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@servicemix.apache.org by Sebastian Gomez <sa...@gmail.com> on 2008/02/21 11:40:50 UTC
Re: Accesing WS-Security with Smart Card
Hello.
I've been very busy these last weeks therefore I haven't been able to start
implementing my patch until now. I made the changes recommended (for which I
thank you a lot) but I have come up to a new problem. I'm not sure of the
scale of the problem, because I'm not sure if I have configured the
SSLSocket correctly (mostly because of my quite limited knowledge on SSL
security). I'll tell you what the problem is and lets hope you know where I
should be aiming to solve it:
First of all I created a CustomKeystoreManager and a CustomKeystoreInstance
class. Then, in the HttpEndpoint I instantiate them in the
getKeystoreManager() method. They seem to work fine until the
SSLSocketFactory is created, because when it sends the message, a
HandshakeException is thrown. Debugging I have seen that the
CustomKeystoreInstance.getCertificate(String alias) method is never called,
so obviously, without the Certificate, the message exchange is never going
to work. After that, I undid all my changes to see where a normal message
exchange using a file certificate (*.p12 and *.jks) calls the
FileKeystoreInstance.getCertificate(String alias) method, but it doesn't
seem to do it! So my idea of implementing a new getCertificate() method
looks like it would not work.
Do you have any idea when and where the Certificates are read (i.e the call
to getCertificate() or getCertificateChain())? Should I be doing something
with the certificate before initializing the SSLContext in the
CustomKeystoreManager.createSSLServerFactory method?
Please help. this problem is blocking my progress in my project. Thanks in
advance.
Sebastian Gomez.
On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <gn...@gmail.com> wrote:
> On Jan 23, 2008 6:42 PM, Sebastian Gomez <sa...@gmail.com> wrote:
>
> > Hello again.
> >
> > First of all, thanks a lot for helping me resolve this problem I've
> > encountered.
> >
> > I've been trying to locate the part of the code where I should start
> > implementing my patch but I haven't decided yet. I agree with you on
> > modifying the getKeystoreManager() method from HttpEndpoint, but I think
> I
> > should rewrite the method instead of overriding it (I understand
> > overriding
> > would mean creating a new class extending HttpEndpoint). Do you think my
> > assumption is correct or do you really think I should create a new
> class?
>
>
> Rewriting is the way to go
>
> >
> >
> > I've thought on the idea of adding a KeystoreManager field to the
> > HttpEndpoint. My idea would be to add a new sslParameter in the
> > xbean.xmlfile, but that would mean modifying the
> > servicemix-http.xsd wouldn't it? Would it be a problem? Doing this would
> > allow me to do something like "if (this.getSsl().getKeyStoreManager() ==
> > null)" in the getKeystoreManager() method. Returning "true" would mean
> the
> > parameter has not been specified, so I would let the HttpComponent be
> > initialized as it has been done until now, but returning "false" would
> > mean creating and returning a new instance of the specified
> > KeystoreManager.
> > Does this make sense to you, or am I missing something out?
>
>
> Yeah, definitely. The servicemix-http schema is generated automatically
> from the
> java source code, so adding a getter to the SslParams class will do the
> trick.
>
>
> >
> >
> > Best regards.
> >
> > Sebastian Gomez.
> >
> >
> >
> >
> > On Jan 21, 2008 8:30 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> >
> > > I think the easiest way would be to add a KeystoreManager field on the
> > > HttpEndpoint and override
> > > the getKeystoreManager() method from HttpEndpoint [1].
> > > It doesn't seem you actually need to work with the HttpComponent or
> > > HttpConfiguration directly.
> > >
> > > FYI, the defaut KeystoreManager is retrieved from the HttpComponent in
> > the
> > > doInit() method [2].
> > >
> > > Hopes this helps,
> > >
> > > [1]
> > >
> > >
> >
> http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup
> > > [2]
> > >
> > >
> >
> http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup
> > >
> > > On Jan 21, 2008 8:11 PM, Sebas Gomez <sa...@gmail.com> wrote:
> > >
> > > > Hi.
> > > >
> > > > I have decided to create the patch to configure the KeyStoreInstance
> > > > directly on the endpoint, and I would be willing to share it, but I
> > > think
> > > > I
> > > > will need a little orientation. I've been trying to trace
> > > > the initialization of the http-component, but I haven't been able to
> > > find
> > > > where the KeystoreInstance is created. Would it be possible for you
> to
> > > > point
> > > > me out where it is done?
> > > >
> > > > Thank you.
> > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> > > >
> > > > > Implementing a KeyStoreInstance manager is the way to go.
> > > > > Currently, the only way to configure it is to go to the JMX mbean
> > > > > associated
> > > > > with the servicemix-http component and change the
> > keystoreManagerName
> > > to
> > > > a
> > > > > new entry in the JNDI tree where you would put your own
> > > implementation.
> > > > > You'd also have to register it in the conf/jndi.xml configuration
> > > file.
> > > > > This is not very easy, so if you're fancy providing a patch to
> > > configure
> > > > > it
> > > > > on the endpoint directly, i'd be happy to apply it.
> > > > >
> > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <sa...@gmail.com> wrote:
> > > > >
> > > > > > Hi.
> > > > > >
> > > > > > Thanks for the quick answer.
> > > > > >
> > > > > > I only retieve the certificate from the card, nothing else. I
> > think
> > > > the
> > > > > > easiest way of getting the certificate would be implementing a
> > > custom
> > > > > > KeyStoreInstance but I can't find the place in the configuration
> > of
> > > > the
> > > > > > servicemix-http component where to tell ServiceMix to use it. I
> > > > suppose
> > > > > it
> > > > > > should be in one of the sslParameters, but I don't know which
> one.
> > > > > >
> > > > > > The other possibility would be to subclass the servicemix-http,
> > but
> > > I
> > > > > > think
> > > > > > the easy solution would be the one explained on the paragraph
> > above.
> > > > > >
> > > > > > Would it be possible to implement my custom KeystoreInstance or
> > > should
> > > > I
> > > > > > be
> > > > > > thinking of subclassing the component?
> > > > > >
> > > > > > Best regards.
> > > > > >
> > > > > > Sebastian Gomez
> > > > > >
> > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <gn...@gmail.com>
> wrote:
> > > > > >
> > > > > > > I'm not aware of anything done on this subject.
> > > > > > > What kind of data do you retrieve from the smartcard and how ?
> > > > > > > Do you simply retrieve the certificate ?
> > > > > > > servicemix-http uses an abstraction on top of a keystore so
> you
> > > may
> > > > be
> > > > > > > able to implement you own that would delegate calls to the
> > > smartcard
> > > > > > > somehow.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup
> > > > > > >
> > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <sa...@gmail.com>
> wrote:
> > > > > > >
> > > > > > > > Hello.
> > > > > > > >
> > > > > > > > I need to access a web service secured with WS-Security
> using
> > a
> > > > > Smart
> > > > > > > > Card.
> > > > > > > > If I had the security certificate in local, I know I could
> set
> > > the
> > > > > > > > http:sslParameters with the path of the keystore and its
> > > keystore
> > > > > > > > password,
> > > > > > > > but this is not the case.
> > > > > > > >
> > > > > > > > I suppose I will have to extend either servicemix-http or
> > > > > > servicemix-cxf
> > > > > > > > to
> > > > > > > > support reading smart cards, but I don't know if there is an
> > > > easier
> > > > > > > > workaround.
> > > > > > > >
> > > > > > > > Is there anything similar already implemented? If not, I
> would
> > > > > > > appreciate
> > > > > > > > any kind of indication as to what would be the best way to
> > solve
> > > > > this
> > > > > > > > problem.
> > > > > > > >
> > > > > > > > Best regards.
> > > > > > > >
> > > > > > > > Sebastian Gomez
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Guillaume Nodet
> > > > > > > ------------------------
> > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Guillaume Nodet
> > > > > ------------------------
> > > > > Blog: http://gnodet.blogspot.com/
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Cheers,
> > > Guillaume Nodet
> > > ------------------------
> > > Blog: http://gnodet.blogspot.com/
> > >
> >
>
>
>
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
>
Re: Accesing WS-Security with Smart Card
Posted by Guillaume Nodet <gn...@gmail.com>.
Yeah :-) If you raise a JIRA issue and submit a patch that would be awesome.
On Wed, Feb 27, 2008 at 12:14 PM, Sebastian Gomez <sa...@gmail.com> wrote:
> Hi.
>
> I finally solved it! Now I'm able to access the SmartCard perfectly. I'll
> now try to look for a way to make my implementation more generic so anyone
> can implement a KeystoreManager for himself, in case someone gets stuck in a
> problem similar to mine. I'd be willing to share it if you think it will
> become useful.
>
> Again, thanks a lot.
>
> Sebastian Gomez.
>
>
>
>
>
> On Thu, Feb 21, 2008 at 12:49 PM, Sebastian Gomez <sa...@gmail.com> wrote:
>
> > Thanks a lot! I'll have a good look at it and I hope to be able to solve
> > the problem.
> >
> > Best regards.
> > On Thu, Feb 21, 2008 at 12:35 PM, Guillaume Nodet <gn...@gmail.com>
> > wrote:
> >
> > > Well, googling a bit, I found that Sun provides a security provider
> > > based on smart cards:
> > > http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
> > >
> > > See
> > > http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#Login
> > > for how to create a KeyStore from the smart card.
> > >
> > > On Thu, Feb 21, 2008 at 12:24 PM, Guillaume Nodet <gn...@gmail.com>
> > > wrote:
> > > > For SSL, I think the key methods are:
> > > > KeyStoreInstance#getKeyManager
> > > > KeyStoreInstance#getTrustManager
> > > >
> > > > Take a look at createSSLServerFactory method in BaseKeystoreManager
> > > as this is
> > > > the one that creates the SSL socket using the two methods above.
> > > >
> > > > At the end, you may have to implement the following interfaces:
> > > > javax.net.ssl.X509TrustManager
> > > > javax.net.ssl.X509KeyManager
> > > > and return your own instances of these interfaces in the two methods
> > > > mentioned above.
> > > >
> > > >
> > > >
> > > > On Thu, Feb 21, 2008 at 11:40 AM, Sebastian Gomez <sa...@gmail.com>
> > > wrote:
> > > > > Hello.
> > > > >
> > > > > I've been very busy these last weeks therefore I haven't been able
> > > to start
> > > > > implementing my patch until now. I made the changes recommended
> > > (for which I
> > > > > thank you a lot) but I have come up to a new problem. I'm not sure
> > > of the
> > > > > scale of the problem, because I'm not sure if I have configured
> > > the
> > > > > SSLSocket correctly (mostly because of my quite limited knowledge
> > > on SSL
> > > > > security). I'll tell you what the problem is and lets hope you
> > > know where I
> > > > > should be aiming to solve it:
> > > > >
> > > > > First of all I created a CustomKeystoreManager and a
> > > CustomKeystoreInstance
> > > > > class. Then, in the HttpEndpoint I instantiate them in the
> > > > > getKeystoreManager() method. They seem to work fine until the
> > > > > SSLSocketFactory is created, because when it sends the message, a
> > > > > HandshakeException is thrown. Debugging I have seen that the
> > > > > CustomKeystoreInstance.getCertificate(String alias) method is
> > > never called,
> > > > > so obviously, without the Certificate, the message exchange is
> > > never going
> > > > > to work. After that, I undid all my changes to see where a normal
> > > message
> > > > > exchange using a file certificate (*.p12 and *.jks) calls the
> > > > > FileKeystoreInstance.getCertificate(String alias) method, but it
> > > doesn't
> > > > > seem to do it! So my idea of implementing a new getCertificate()
> > > method
> > > > > looks like it would not work.
> > > > >
> > > > > Do you have any idea when and where the Certificates are read (i.ethe call
> > > > > to getCertificate() or getCertificateChain())? Should I be doing
> > > something
> > > > > with the certificate before initializing the SSLContext in the
> > > > > CustomKeystoreManager.createSSLServerFactory method?
> > > > >
> > > > > Please help. this problem is blocking my progress in my project.
> > > Thanks in
> > > > > advance.
> > > > >
> > > > > Sebastian Gomez.
> > > > >
> > > > >
> > > > > On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <gn...@gmail.com>
> > > wrote:
> > > > >
> > > > > > On Jan 23, 2008 6:42 PM, Sebastian Gomez <sa...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > > Hello again.
> > > > > > >
> > > > > > > First of all, thanks a lot for helping me resolve this problem
> > > I've
> > > > > > > encountered.
> > > > > > >
> > > > > > > I've been trying to locate the part of the code where I should
> > > start
> > > > > > > implementing my patch but I haven't decided yet. I agree with
> > > you on
> > > > > > > modifying the getKeystoreManager() method from HttpEndpoint,
> > > but I think
> > > > > > I
> > > > > > > should rewrite the method instead of overriding it (I
> > > understand
> > > > > > > overriding
> > > > > > > would mean creating a new class extending HttpEndpoint). Do
> > > you think my
> > > > > > > assumption is correct or do you really think I should create a
> > > new
> > > > > > class?
> > > > > >
> > > > > >
> > > > > > Rewriting is the way to go
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I've thought on the idea of adding a KeystoreManager field to
> > > the
> > > > > > > HttpEndpoint. My idea would be to add a new sslParameter in
> > > the
> > > > > > > xbean.xmlfile, but that would mean modifying the
> > > > > > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing
> > > this would
> > > > > > > allow me to do something like "if (this.getSsl().getKeyStoreManager()
> > > ==
> > > > > > > null)" in the getKeystoreManager() method. Returning "true"
> > > would mean
> > > > > > the
> > > > > > > parameter has not been specified, so I would let the
> > > HttpComponent be
> > > > > > > initialized as it has been done until now, but returning
> > > "false" would
> > > > > > > mean creating and returning a new instance of the specified
> > > > > > > KeystoreManager.
> > > > > > > Does this make sense to you, or am I missing something out?
> > > > > >
> > > > > >
> > > > > > Yeah, definitely. The servicemix-http schema is generated
> > > automatically
> > > > > > from the
> > > > > > java source code, so adding a getter to the SslParams class will
> > > do the
> > > > > > trick.
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Best regards.
> > > > > > >
> > > > > > > Sebastian Gomez.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <gn...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > I think the easiest way would be to add a KeystoreManager
> > > field on the
> > > > > > > > HttpEndpoint and override
> > > > > > > > the getKeystoreManager() method from HttpEndpoint [1].
> > > > > > > > It doesn't seem you actually need to work with the
> > > HttpComponent or
> > > > > > > > HttpConfiguration directly.
> > > > > > > >
> > > > > > > > FYI, the defaut KeystoreManager is retrieved from the
> > > HttpComponent in
> > > > > > > the
> > > > > > > > doInit() method [2].
> > > > > > > >
> > > > > > > > Hopes this helps,
> > > > > > > >
> > > > > > > > [1]
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup
> > > > > > > > [2]
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup
> > > > > > > >
> > > > > > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <sa...@gmail.com>
> > > wrote:
> > > > > > > >
> > > > > > > > > Hi.
> > > > > > > > >
> > > > > > > > > I have decided to create the patch to configure the
> > > KeyStoreInstance
> > > > > > > > > directly on the endpoint, and I would be willing to share
> > > it, but I
> > > > > > > > think
> > > > > > > > > I
> > > > > > > > > will need a little orientation. I've been trying to trace
> > > > > > > > > the initialization of the http-component, but I haven't
> > > been able to
> > > > > > > > find
> > > > > > > > > where the KeystoreInstance is created. Would it be
> > > possible for you
> > > > > > to
> > > > > > > > > point
> > > > > > > > > me out where it is done?
> > > > > > > > >
> > > > > > > > > Thank you.
> > > > > > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <gn...@gmail.com>
> > > wrote:
> > > > > > > > >
> > > > > > > > > > Implementing a KeyStoreInstance manager is the way to
> > > go.
> > > > > > > > > > Currently, the only way to configure it is to go to the
> > > JMX mbean
> > > > > > > > > > associated
> > > > > > > > > > with the servicemix-http component and change the
> > > > > > > keystoreManagerName
> > > > > > > > to
> > > > > > > > > a
> > > > > > > > > > new entry in the JNDI tree where you would put your own
> > > > > > > > implementation.
> > > > > > > > > > You'd also have to register it in the conf/jndi.xml
> > > configuration
> > > > > > > > file.
> > > > > > > > > > This is not very easy, so if you're fancy providing a
> > > patch to
> > > > > > > > configure
> > > > > > > > > > it
> > > > > > > > > > on the endpoint directly, i'd be happy to apply it.
> > > > > > > > > >
> > > > > > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <sa...@gmail.com>
> > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi.
> > > > > > > > > > >
> > > > > > > > > > > Thanks for the quick answer.
> > > > > > > > > > >
> > > > > > > > > > > I only retieve the certificate from the card, nothing
> > > else. I
> > > > > > > think
> > > > > > > > > the
> > > > > > > > > > > easiest way of getting the certificate would be
> > > implementing a
> > > > > > > > custom
> > > > > > > > > > > KeyStoreInstance but I can't find the place in the
> > > configuration
> > > > > > > of
> > > > > > > > > the
> > > > > > > > > > > servicemix-http component where to tell ServiceMix to
> > > use it. I
> > > > > > > > > suppose
> > > > > > > > > > it
> > > > > > > > > > > should be in one of the sslParameters, but I don't
> > > know which
> > > > > > one.
> > > > > > > > > > >
> > > > > > > > > > > The other possibility would be to subclass the
> > > servicemix-http,
> > > > > > > but
> > > > > > > > I
> > > > > > > > > > > think
> > > > > > > > > > > the easy solution would be the one explained on the
> > > paragraph
> > > > > > > above.
> > > > > > > > > > >
> > > > > > > > > > > Would it be possible to implement my custom
> > > KeystoreInstance or
> > > > > > > > should
> > > > > > > > > I
> > > > > > > > > > > be
> > > > > > > > > > > thinking of subclassing the component?
> > > > > > > > > > >
> > > > > > > > > > > Best regards.
> > > > > > > > > > >
> > > > > > > > > > > Sebastian Gomez
> > > > > > > > > > >
> > > > > > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <
> > > gnodet@gmail.com>
> > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > I'm not aware of anything done on this subject.
> > > > > > > > > > > > What kind of data do you retrieve from the smartcard
> > > and how ?
> > > > > > > > > > > > Do you simply retrieve the certificate ?
> > > > > > > > > > > > servicemix-http uses an abstraction on top of a
> > > keystore so
> > > > > > you
> > > > > > > > may
> > > > > > > > > be
> > > > > > > > > > > > able to implement you own that would delegate calls
> > > to the
> > > > > > > > smartcard
> > > > > > > > > > > > somehow.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup
> > > > > > > > > > > >
> > > > > > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <
> > > sage.es@gmail.com>
> > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Hello.
> > > > > > > > > > > > >
> > > > > > > > > > > > > I need to access a web service secured with
> > > WS-Security
> > > > > > using
> > > > > > > a
> > > > > > > > > > Smart
> > > > > > > > > > > > > Card.
> > > > > > > > > > > > > If I had the security certificate in local, I know
> > > I could
> > > > > > set
> > > > > > > > the
> > > > > > > > > > > > > http:sslParameters with the path of the keystore
> > > and its
> > > > > > > > keystore
> > > > > > > > > > > > > password,
> > > > > > > > > > > > > but this is not the case.
> > > > > > > > > > > > >
> > > > > > > > > > > > > I suppose I will have to extend either
> > > servicemix-http or
> > > > > > > > > > > servicemix-cxf
> > > > > > > > > > > > > to
> > > > > > > > > > > > > support reading smart cards, but I don't know if
> > > there is an
> > > > > > > > > easier
> > > > > > > > > > > > > workaround.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Is there anything similar already implemented? If
> > > not, I
> > > > > > would
> > > > > > > > > > > > appreciate
> > > > > > > > > > > > > any kind of indication as to what would be the
> > > best way to
> > > > > > > solve
> > > > > > > > > > this
> > > > > > > > > > > > > problem.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Best regards.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Sebastian Gomez
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Cheers,
> > > > > > > > > > > > Guillaume Nodet
> > > > > > > > > > > > ------------------------
> > > > > > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Cheers,
> > > > > > > > > > Guillaume Nodet
> > > > > > > > > > ------------------------
> > > > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Cheers,
> > > > > > > > Guillaume Nodet
> > > > > > > > ------------------------
> > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Guillaume Nodet
> > > > > > ------------------------
> > > > > > Blog: http://gnodet.blogspot.com/
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > >
> > > > Cheers,
> > > > Guillaume Nodet
> > > > ------------------------
> > > > Blog: http://gnodet.blogspot.com/
> > > >
> > >
> > >
> > >
> > > --
> > > Cheers,
> > > Guillaume Nodet
> > > ------------------------
> > > Blog: http://gnodet.blogspot.com/
> > >
> >
> >
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
Re: Accesing WS-Security with Smart Card
Posted by Sebastian Gomez <sa...@gmail.com>.
Hi.
I finally solved it! Now I'm able to access the SmartCard perfectly. I'll
now try to look for a way to make my implementation more generic so anyone
can implement a KeystoreManager for himself, in case someone gets stuck in a
problem similar to mine. I'd be willing to share it if you think it will
become useful.
Again, thanks a lot.
Sebastian Gomez.
On Thu, Feb 21, 2008 at 12:49 PM, Sebastian Gomez <sa...@gmail.com> wrote:
> Thanks a lot! I'll have a good look at it and I hope to be able to solve
> the problem.
>
> Best regards.
> On Thu, Feb 21, 2008 at 12:35 PM, Guillaume Nodet <gn...@gmail.com>
> wrote:
>
> > Well, googling a bit, I found that Sun provides a security provider
> > based on smart cards:
> > http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
> >
> > See
> > http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#Login
> > for how to create a KeyStore from the smart card.
> >
> > On Thu, Feb 21, 2008 at 12:24 PM, Guillaume Nodet <gn...@gmail.com>
> > wrote:
> > > For SSL, I think the key methods are:
> > > KeyStoreInstance#getKeyManager
> > > KeyStoreInstance#getTrustManager
> > >
> > > Take a look at createSSLServerFactory method in BaseKeystoreManager
> > as this is
> > > the one that creates the SSL socket using the two methods above.
> > >
> > > At the end, you may have to implement the following interfaces:
> > > javax.net.ssl.X509TrustManager
> > > javax.net.ssl.X509KeyManager
> > > and return your own instances of these interfaces in the two methods
> > > mentioned above.
> > >
> > >
> > >
> > > On Thu, Feb 21, 2008 at 11:40 AM, Sebastian Gomez <sa...@gmail.com>
> > wrote:
> > > > Hello.
> > > >
> > > > I've been very busy these last weeks therefore I haven't been able
> > to start
> > > > implementing my patch until now. I made the changes recommended
> > (for which I
> > > > thank you a lot) but I have come up to a new problem. I'm not sure
> > of the
> > > > scale of the problem, because I'm not sure if I have configured
> > the
> > > > SSLSocket correctly (mostly because of my quite limited knowledge
> > on SSL
> > > > security). I'll tell you what the problem is and lets hope you
> > know where I
> > > > should be aiming to solve it:
> > > >
> > > > First of all I created a CustomKeystoreManager and a
> > CustomKeystoreInstance
> > > > class. Then, in the HttpEndpoint I instantiate them in the
> > > > getKeystoreManager() method. They seem to work fine until the
> > > > SSLSocketFactory is created, because when it sends the message, a
> > > > HandshakeException is thrown. Debugging I have seen that the
> > > > CustomKeystoreInstance.getCertificate(String alias) method is
> > never called,
> > > > so obviously, without the Certificate, the message exchange is
> > never going
> > > > to work. After that, I undid all my changes to see where a normal
> > message
> > > > exchange using a file certificate (*.p12 and *.jks) calls the
> > > > FileKeystoreInstance.getCertificate(String alias) method, but it
> > doesn't
> > > > seem to do it! So my idea of implementing a new getCertificate()
> > method
> > > > looks like it would not work.
> > > >
> > > > Do you have any idea when and where the Certificates are read (i.ethe call
> > > > to getCertificate() or getCertificateChain())? Should I be doing
> > something
> > > > with the certificate before initializing the SSLContext in the
> > > > CustomKeystoreManager.createSSLServerFactory method?
> > > >
> > > > Please help. this problem is blocking my progress in my project.
> > Thanks in
> > > > advance.
> > > >
> > > > Sebastian Gomez.
> > > >
> > > >
> > > > On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <gn...@gmail.com>
> > wrote:
> > > >
> > > > > On Jan 23, 2008 6:42 PM, Sebastian Gomez <sa...@gmail.com>
> > wrote:
> > > > >
> > > > > > Hello again.
> > > > > >
> > > > > > First of all, thanks a lot for helping me resolve this problem
> > I've
> > > > > > encountered.
> > > > > >
> > > > > > I've been trying to locate the part of the code where I should
> > start
> > > > > > implementing my patch but I haven't decided yet. I agree with
> > you on
> > > > > > modifying the getKeystoreManager() method from HttpEndpoint,
> > but I think
> > > > > I
> > > > > > should rewrite the method instead of overriding it (I
> > understand
> > > > > > overriding
> > > > > > would mean creating a new class extending HttpEndpoint). Do
> > you think my
> > > > > > assumption is correct or do you really think I should create a
> > new
> > > > > class?
> > > > >
> > > > >
> > > > > Rewriting is the way to go
> > > > >
> > > > > >
> > > > > >
> > > > > > I've thought on the idea of adding a KeystoreManager field to
> > the
> > > > > > HttpEndpoint. My idea would be to add a new sslParameter in
> > the
> > > > > > xbean.xmlfile, but that would mean modifying the
> > > > > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing
> > this would
> > > > > > allow me to do something like "if (this.getSsl().getKeyStoreManager()
> > ==
> > > > > > null)" in the getKeystoreManager() method. Returning "true"
> > would mean
> > > > > the
> > > > > > parameter has not been specified, so I would let the
> > HttpComponent be
> > > > > > initialized as it has been done until now, but returning
> > "false" would
> > > > > > mean creating and returning a new instance of the specified
> > > > > > KeystoreManager.
> > > > > > Does this make sense to you, or am I missing something out?
> > > > >
> > > > >
> > > > > Yeah, definitely. The servicemix-http schema is generated
> > automatically
> > > > > from the
> > > > > java source code, so adding a getter to the SslParams class will
> > do the
> > > > > trick.
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > Best regards.
> > > > > >
> > > > > > Sebastian Gomez.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <gn...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > I think the easiest way would be to add a KeystoreManager
> > field on the
> > > > > > > HttpEndpoint and override
> > > > > > > the getKeystoreManager() method from HttpEndpoint [1].
> > > > > > > It doesn't seem you actually need to work with the
> > HttpComponent or
> > > > > > > HttpConfiguration directly.
> > > > > > >
> > > > > > > FYI, the defaut KeystoreManager is retrieved from the
> > HttpComponent in
> > > > > > the
> > > > > > > doInit() method [2].
> > > > > > >
> > > > > > > Hopes this helps,
> > > > > > >
> > > > > > > [1]
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup
> > > > > > > [2]
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup
> > > > > > >
> > > > > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <sa...@gmail.com>
> > wrote:
> > > > > > >
> > > > > > > > Hi.
> > > > > > > >
> > > > > > > > I have decided to create the patch to configure the
> > KeyStoreInstance
> > > > > > > > directly on the endpoint, and I would be willing to share
> > it, but I
> > > > > > > think
> > > > > > > > I
> > > > > > > > will need a little orientation. I've been trying to trace
> > > > > > > > the initialization of the http-component, but I haven't
> > been able to
> > > > > > > find
> > > > > > > > where the KeystoreInstance is created. Would it be
> > possible for you
> > > > > to
> > > > > > > > point
> > > > > > > > me out where it is done?
> > > > > > > >
> > > > > > > > Thank you.
> > > > > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <gn...@gmail.com>
> > wrote:
> > > > > > > >
> > > > > > > > > Implementing a KeyStoreInstance manager is the way to
> > go.
> > > > > > > > > Currently, the only way to configure it is to go to the
> > JMX mbean
> > > > > > > > > associated
> > > > > > > > > with the servicemix-http component and change the
> > > > > > keystoreManagerName
> > > > > > > to
> > > > > > > > a
> > > > > > > > > new entry in the JNDI tree where you would put your own
> > > > > > > implementation.
> > > > > > > > > You'd also have to register it in the conf/jndi.xml
> > configuration
> > > > > > > file.
> > > > > > > > > This is not very easy, so if you're fancy providing a
> > patch to
> > > > > > > configure
> > > > > > > > > it
> > > > > > > > > on the endpoint directly, i'd be happy to apply it.
> > > > > > > > >
> > > > > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <sa...@gmail.com>
> > wrote:
> > > > > > > > >
> > > > > > > > > > Hi.
> > > > > > > > > >
> > > > > > > > > > Thanks for the quick answer.
> > > > > > > > > >
> > > > > > > > > > I only retieve the certificate from the card, nothing
> > else. I
> > > > > > think
> > > > > > > > the
> > > > > > > > > > easiest way of getting the certificate would be
> > implementing a
> > > > > > > custom
> > > > > > > > > > KeyStoreInstance but I can't find the place in the
> > configuration
> > > > > > of
> > > > > > > > the
> > > > > > > > > > servicemix-http component where to tell ServiceMix to
> > use it. I
> > > > > > > > suppose
> > > > > > > > > it
> > > > > > > > > > should be in one of the sslParameters, but I don't
> > know which
> > > > > one.
> > > > > > > > > >
> > > > > > > > > > The other possibility would be to subclass the
> > servicemix-http,
> > > > > > but
> > > > > > > I
> > > > > > > > > > think
> > > > > > > > > > the easy solution would be the one explained on the
> > paragraph
> > > > > > above.
> > > > > > > > > >
> > > > > > > > > > Would it be possible to implement my custom
> > KeystoreInstance or
> > > > > > > should
> > > > > > > > I
> > > > > > > > > > be
> > > > > > > > > > thinking of subclassing the component?
> > > > > > > > > >
> > > > > > > > > > Best regards.
> > > > > > > > > >
> > > > > > > > > > Sebastian Gomez
> > > > > > > > > >
> > > > > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <
> > gnodet@gmail.com>
> > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > I'm not aware of anything done on this subject.
> > > > > > > > > > > What kind of data do you retrieve from the smartcard
> > and how ?
> > > > > > > > > > > Do you simply retrieve the certificate ?
> > > > > > > > > > > servicemix-http uses an abstraction on top of a
> > keystore so
> > > > > you
> > > > > > > may
> > > > > > > > be
> > > > > > > > > > > able to implement you own that would delegate calls
> > to the
> > > > > > > smartcard
> > > > > > > > > > > somehow.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup
> > > > > > > > > > >
> > > > > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <
> > sage.es@gmail.com>
> > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Hello.
> > > > > > > > > > > >
> > > > > > > > > > > > I need to access a web service secured with
> > WS-Security
> > > > > using
> > > > > > a
> > > > > > > > > Smart
> > > > > > > > > > > > Card.
> > > > > > > > > > > > If I had the security certificate in local, I know
> > I could
> > > > > set
> > > > > > > the
> > > > > > > > > > > > http:sslParameters with the path of the keystore
> > and its
> > > > > > > keystore
> > > > > > > > > > > > password,
> > > > > > > > > > > > but this is not the case.
> > > > > > > > > > > >
> > > > > > > > > > > > I suppose I will have to extend either
> > servicemix-http or
> > > > > > > > > > servicemix-cxf
> > > > > > > > > > > > to
> > > > > > > > > > > > support reading smart cards, but I don't know if
> > there is an
> > > > > > > > easier
> > > > > > > > > > > > workaround.
> > > > > > > > > > > >
> > > > > > > > > > > > Is there anything similar already implemented? If
> > not, I
> > > > > would
> > > > > > > > > > > appreciate
> > > > > > > > > > > > any kind of indication as to what would be the
> > best way to
> > > > > > solve
> > > > > > > > > this
> > > > > > > > > > > > problem.
> > > > > > > > > > > >
> > > > > > > > > > > > Best regards.
> > > > > > > > > > > >
> > > > > > > > > > > > Sebastian Gomez
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Cheers,
> > > > > > > > > > > Guillaume Nodet
> > > > > > > > > > > ------------------------
> > > > > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Cheers,
> > > > > > > > > Guillaume Nodet
> > > > > > > > > ------------------------
> > > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Guillaume Nodet
> > > > > > > ------------------------
> > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Guillaume Nodet
> > > > > ------------------------
> > > > > Blog: http://gnodet.blogspot.com/
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > >
> > >
> > > Cheers,
> > > Guillaume Nodet
> > > ------------------------
> > > Blog: http://gnodet.blogspot.com/
> > >
> >
> >
> >
> > --
> > Cheers,
> > Guillaume Nodet
> > ------------------------
> > Blog: http://gnodet.blogspot.com/
> >
>
>
Re: Accesing WS-Security with Smart Card
Posted by Sebastian Gomez <sa...@gmail.com>.
Thanks a lot! I'll have a good look at it and I hope to be able to solve the
problem.
Best regards.
On Thu, Feb 21, 2008 at 12:35 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> Well, googling a bit, I found that Sun provides a security provider
> based on smart cards:
> http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
>
> See http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#Login
> for how to create a KeyStore from the smart card.
>
> On Thu, Feb 21, 2008 at 12:24 PM, Guillaume Nodet <gn...@gmail.com>
> wrote:
> > For SSL, I think the key methods are:
> > KeyStoreInstance#getKeyManager
> > KeyStoreInstance#getTrustManager
> >
> > Take a look at createSSLServerFactory method in BaseKeystoreManager as
> this is
> > the one that creates the SSL socket using the two methods above.
> >
> > At the end, you may have to implement the following interfaces:
> > javax.net.ssl.X509TrustManager
> > javax.net.ssl.X509KeyManager
> > and return your own instances of these interfaces in the two methods
> > mentioned above.
> >
> >
> >
> > On Thu, Feb 21, 2008 at 11:40 AM, Sebastian Gomez <sa...@gmail.com>
> wrote:
> > > Hello.
> > >
> > > I've been very busy these last weeks therefore I haven't been able
> to start
> > > implementing my patch until now. I made the changes recommended (for
> which I
> > > thank you a lot) but I have come up to a new problem. I'm not sure
> of the
> > > scale of the problem, because I'm not sure if I have configured the
> > > SSLSocket correctly (mostly because of my quite limited knowledge on
> SSL
> > > security). I'll tell you what the problem is and lets hope you know
> where I
> > > should be aiming to solve it:
> > >
> > > First of all I created a CustomKeystoreManager and a
> CustomKeystoreInstance
> > > class. Then, in the HttpEndpoint I instantiate them in the
> > > getKeystoreManager() method. They seem to work fine until the
> > > SSLSocketFactory is created, because when it sends the message, a
> > > HandshakeException is thrown. Debugging I have seen that the
> > > CustomKeystoreInstance.getCertificate(String alias) method is never
> called,
> > > so obviously, without the Certificate, the message exchange is never
> going
> > > to work. After that, I undid all my changes to see where a normal
> message
> > > exchange using a file certificate (*.p12 and *.jks) calls the
> > > FileKeystoreInstance.getCertificate(String alias) method, but it
> doesn't
> > > seem to do it! So my idea of implementing a new getCertificate()
> method
> > > looks like it would not work.
> > >
> > > Do you have any idea when and where the Certificates are read (i.ethe call
> > > to getCertificate() or getCertificateChain())? Should I be doing
> something
> > > with the certificate before initializing the SSLContext in the
> > > CustomKeystoreManager.createSSLServerFactory method?
> > >
> > > Please help. this problem is blocking my progress in my project.
> Thanks in
> > > advance.
> > >
> > > Sebastian Gomez.
> > >
> > >
> > > On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <gn...@gmail.com>
> wrote:
> > >
> > > > On Jan 23, 2008 6:42 PM, Sebastian Gomez <sa...@gmail.com>
> wrote:
> > > >
> > > > > Hello again.
> > > > >
> > > > > First of all, thanks a lot for helping me resolve this problem
> I've
> > > > > encountered.
> > > > >
> > > > > I've been trying to locate the part of the code where I should
> start
> > > > > implementing my patch but I haven't decided yet. I agree with
> you on
> > > > > modifying the getKeystoreManager() method from HttpEndpoint, but
> I think
> > > > I
> > > > > should rewrite the method instead of overriding it (I understand
> > > > > overriding
> > > > > would mean creating a new class extending HttpEndpoint). Do you
> think my
> > > > > assumption is correct or do you really think I should create a
> new
> > > > class?
> > > >
> > > >
> > > > Rewriting is the way to go
> > > >
> > > > >
> > > > >
> > > > > I've thought on the idea of adding a KeystoreManager field to
> the
> > > > > HttpEndpoint. My idea would be to add a new sslParameter in the
> > > > > xbean.xmlfile, but that would mean modifying the
> > > > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing
> this would
> > > > > allow me to do something like "if (this.getSsl().getKeyStoreManager()
> ==
> > > > > null)" in the getKeystoreManager() method. Returning "true"
> would mean
> > > > the
> > > > > parameter has not been specified, so I would let the
> HttpComponent be
> > > > > initialized as it has been done until now, but returning "false"
> would
> > > > > mean creating and returning a new instance of the specified
> > > > > KeystoreManager.
> > > > > Does this make sense to you, or am I missing something out?
> > > >
> > > >
> > > > Yeah, definitely. The servicemix-http schema is generated
> automatically
> > > > from the
> > > > java source code, so adding a getter to the SslParams class will
> do the
> > > > trick.
> > > >
> > > >
> > > > >
> > > > >
> > > > > Best regards.
> > > > >
> > > > > Sebastian Gomez.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <gn...@gmail.com>
> wrote:
> > > > >
> > > > > > I think the easiest way would be to add a KeystoreManager
> field on the
> > > > > > HttpEndpoint and override
> > > > > > the getKeystoreManager() method from HttpEndpoint [1].
> > > > > > It doesn't seem you actually need to work with the
> HttpComponent or
> > > > > > HttpConfiguration directly.
> > > > > >
> > > > > > FYI, the defaut KeystoreManager is retrieved from the
> HttpComponent in
> > > > > the
> > > > > > doInit() method [2].
> > > > > >
> > > > > > Hopes this helps,
> > > > > >
> > > > > > [1]
> > > > > >
> > > > > >
> > > > >
> > > >
> http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup
> > > > > > [2]
> > > > > >
> > > > > >
> > > > >
> > > >
> http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup
> > > > > >
> > > > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <sa...@gmail.com>
> wrote:
> > > > > >
> > > > > > > Hi.
> > > > > > >
> > > > > > > I have decided to create the patch to configure the
> KeyStoreInstance
> > > > > > > directly on the endpoint, and I would be willing to share
> it, but I
> > > > > > think
> > > > > > > I
> > > > > > > will need a little orientation. I've been trying to trace
> > > > > > > the initialization of the http-component, but I haven't been
> able to
> > > > > > find
> > > > > > > where the KeystoreInstance is created. Would it be possible
> for you
> > > > to
> > > > > > > point
> > > > > > > me out where it is done?
> > > > > > >
> > > > > > > Thank you.
> > > > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <gn...@gmail.com>
> wrote:
> > > > > > >
> > > > > > > > Implementing a KeyStoreInstance manager is the way to go.
> > > > > > > > Currently, the only way to configure it is to go to the
> JMX mbean
> > > > > > > > associated
> > > > > > > > with the servicemix-http component and change the
> > > > > keystoreManagerName
> > > > > > to
> > > > > > > a
> > > > > > > > new entry in the JNDI tree where you would put your own
> > > > > > implementation.
> > > > > > > > You'd also have to register it in the conf/jndi.xml
> configuration
> > > > > > file.
> > > > > > > > This is not very easy, so if you're fancy providing a
> patch to
> > > > > > configure
> > > > > > > > it
> > > > > > > > on the endpoint directly, i'd be happy to apply it.
> > > > > > > >
> > > > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <sa...@gmail.com>
> wrote:
> > > > > > > >
> > > > > > > > > Hi.
> > > > > > > > >
> > > > > > > > > Thanks for the quick answer.
> > > > > > > > >
> > > > > > > > > I only retieve the certificate from the card, nothing
> else. I
> > > > > think
> > > > > > > the
> > > > > > > > > easiest way of getting the certificate would be
> implementing a
> > > > > > custom
> > > > > > > > > KeyStoreInstance but I can't find the place in the
> configuration
> > > > > of
> > > > > > > the
> > > > > > > > > servicemix-http component where to tell ServiceMix to
> use it. I
> > > > > > > suppose
> > > > > > > > it
> > > > > > > > > should be in one of the sslParameters, but I don't know
> which
> > > > one.
> > > > > > > > >
> > > > > > > > > The other possibility would be to subclass the
> servicemix-http,
> > > > > but
> > > > > > I
> > > > > > > > > think
> > > > > > > > > the easy solution would be the one explained on the
> paragraph
> > > > > above.
> > > > > > > > >
> > > > > > > > > Would it be possible to implement my custom
> KeystoreInstance or
> > > > > > should
> > > > > > > I
> > > > > > > > > be
> > > > > > > > > thinking of subclassing the component?
> > > > > > > > >
> > > > > > > > > Best regards.
> > > > > > > > >
> > > > > > > > > Sebastian Gomez
> > > > > > > > >
> > > > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <
> gnodet@gmail.com>
> > > > wrote:
> > > > > > > > >
> > > > > > > > > > I'm not aware of anything done on this subject.
> > > > > > > > > > What kind of data do you retrieve from the smartcard
> and how ?
> > > > > > > > > > Do you simply retrieve the certificate ?
> > > > > > > > > > servicemix-http uses an abstraction on top of a
> keystore so
> > > > you
> > > > > > may
> > > > > > > be
> > > > > > > > > > able to implement you own that would delegate calls to
> the
> > > > > > smartcard
> > > > > > > > > > somehow.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup
> > > > > > > > > >
> > > > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <
> sage.es@gmail.com>
> > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Hello.
> > > > > > > > > > >
> > > > > > > > > > > I need to access a web service secured with
> WS-Security
> > > > using
> > > > > a
> > > > > > > > Smart
> > > > > > > > > > > Card.
> > > > > > > > > > > If I had the security certificate in local, I know I
> could
> > > > set
> > > > > > the
> > > > > > > > > > > http:sslParameters with the path of the keystore and
> its
> > > > > > keystore
> > > > > > > > > > > password,
> > > > > > > > > > > but this is not the case.
> > > > > > > > > > >
> > > > > > > > > > > I suppose I will have to extend either
> servicemix-http or
> > > > > > > > > servicemix-cxf
> > > > > > > > > > > to
> > > > > > > > > > > support reading smart cards, but I don't know if
> there is an
> > > > > > > easier
> > > > > > > > > > > workaround.
> > > > > > > > > > >
> > > > > > > > > > > Is there anything similar already implemented? If
> not, I
> > > > would
> > > > > > > > > > appreciate
> > > > > > > > > > > any kind of indication as to what would be the best
> way to
> > > > > solve
> > > > > > > > this
> > > > > > > > > > > problem.
> > > > > > > > > > >
> > > > > > > > > > > Best regards.
> > > > > > > > > > >
> > > > > > > > > > > Sebastian Gomez
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Cheers,
> > > > > > > > > > Guillaume Nodet
> > > > > > > > > > ------------------------
> > > > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Cheers,
> > > > > > > > Guillaume Nodet
> > > > > > > > ------------------------
> > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Guillaume Nodet
> > > > > > ------------------------
> > > > > > Blog: http://gnodet.blogspot.com/
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Guillaume Nodet
> > > > ------------------------
> > > > Blog: http://gnodet.blogspot.com/
> > > >
> > >
> >
> >
> >
> > --
> >
> >
> > Cheers,
> > Guillaume Nodet
> > ------------------------
> > Blog: http://gnodet.blogspot.com/
> >
>
>
>
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
>
Re: Accesing WS-Security with Smart Card
Posted by Guillaume Nodet <gn...@gmail.com>.
Well, googling a bit, I found that Sun provides a security provider
based on smart cards:
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
See http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#Login
for how to create a KeyStore from the smart card.
On Thu, Feb 21, 2008 at 12:24 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> For SSL, I think the key methods are:
> KeyStoreInstance#getKeyManager
> KeyStoreInstance#getTrustManager
>
> Take a look at createSSLServerFactory method in BaseKeystoreManager as this is
> the one that creates the SSL socket using the two methods above.
>
> At the end, you may have to implement the following interfaces:
> javax.net.ssl.X509TrustManager
> javax.net.ssl.X509KeyManager
> and return your own instances of these interfaces in the two methods
> mentioned above.
>
>
>
> On Thu, Feb 21, 2008 at 11:40 AM, Sebastian Gomez <sa...@gmail.com> wrote:
> > Hello.
> >
> > I've been very busy these last weeks therefore I haven't been able to start
> > implementing my patch until now. I made the changes recommended (for which I
> > thank you a lot) but I have come up to a new problem. I'm not sure of the
> > scale of the problem, because I'm not sure if I have configured the
> > SSLSocket correctly (mostly because of my quite limited knowledge on SSL
> > security). I'll tell you what the problem is and lets hope you know where I
> > should be aiming to solve it:
> >
> > First of all I created a CustomKeystoreManager and a CustomKeystoreInstance
> > class. Then, in the HttpEndpoint I instantiate them in the
> > getKeystoreManager() method. They seem to work fine until the
> > SSLSocketFactory is created, because when it sends the message, a
> > HandshakeException is thrown. Debugging I have seen that the
> > CustomKeystoreInstance.getCertificate(String alias) method is never called,
> > so obviously, without the Certificate, the message exchange is never going
> > to work. After that, I undid all my changes to see where a normal message
> > exchange using a file certificate (*.p12 and *.jks) calls the
> > FileKeystoreInstance.getCertificate(String alias) method, but it doesn't
> > seem to do it! So my idea of implementing a new getCertificate() method
> > looks like it would not work.
> >
> > Do you have any idea when and where the Certificates are read (i.e the call
> > to getCertificate() or getCertificateChain())? Should I be doing something
> > with the certificate before initializing the SSLContext in the
> > CustomKeystoreManager.createSSLServerFactory method?
> >
> > Please help. this problem is blocking my progress in my project. Thanks in
> > advance.
> >
> > Sebastian Gomez.
> >
> >
> > On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <gn...@gmail.com> wrote:
> >
> > > On Jan 23, 2008 6:42 PM, Sebastian Gomez <sa...@gmail.com> wrote:
> > >
> > > > Hello again.
> > > >
> > > > First of all, thanks a lot for helping me resolve this problem I've
> > > > encountered.
> > > >
> > > > I've been trying to locate the part of the code where I should start
> > > > implementing my patch but I haven't decided yet. I agree with you on
> > > > modifying the getKeystoreManager() method from HttpEndpoint, but I think
> > > I
> > > > should rewrite the method instead of overriding it (I understand
> > > > overriding
> > > > would mean creating a new class extending HttpEndpoint). Do you think my
> > > > assumption is correct or do you really think I should create a new
> > > class?
> > >
> > >
> > > Rewriting is the way to go
> > >
> > > >
> > > >
> > > > I've thought on the idea of adding a KeystoreManager field to the
> > > > HttpEndpoint. My idea would be to add a new sslParameter in the
> > > > xbean.xmlfile, but that would mean modifying the
> > > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing this would
> > > > allow me to do something like "if (this.getSsl().getKeyStoreManager() ==
> > > > null)" in the getKeystoreManager() method. Returning "true" would mean
> > > the
> > > > parameter has not been specified, so I would let the HttpComponent be
> > > > initialized as it has been done until now, but returning "false" would
> > > > mean creating and returning a new instance of the specified
> > > > KeystoreManager.
> > > > Does this make sense to you, or am I missing something out?
> > >
> > >
> > > Yeah, definitely. The servicemix-http schema is generated automatically
> > > from the
> > > java source code, so adding a getter to the SslParams class will do the
> > > trick.
> > >
> > >
> > > >
> > > >
> > > > Best regards.
> > > >
> > > > Sebastian Gomez.
> > > >
> > > >
> > > >
> > > >
> > > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> > > >
> > > > > I think the easiest way would be to add a KeystoreManager field on the
> > > > > HttpEndpoint and override
> > > > > the getKeystoreManager() method from HttpEndpoint [1].
> > > > > It doesn't seem you actually need to work with the HttpComponent or
> > > > > HttpConfiguration directly.
> > > > >
> > > > > FYI, the defaut KeystoreManager is retrieved from the HttpComponent in
> > > > the
> > > > > doInit() method [2].
> > > > >
> > > > > Hopes this helps,
> > > > >
> > > > > [1]
> > > > >
> > > > >
> > > >
> > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup
> > > > > [2]
> > > > >
> > > > >
> > > >
> > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup
> > > > >
> > > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <sa...@gmail.com> wrote:
> > > > >
> > > > > > Hi.
> > > > > >
> > > > > > I have decided to create the patch to configure the KeyStoreInstance
> > > > > > directly on the endpoint, and I would be willing to share it, but I
> > > > > think
> > > > > > I
> > > > > > will need a little orientation. I've been trying to trace
> > > > > > the initialization of the http-component, but I haven't been able to
> > > > > find
> > > > > > where the KeystoreInstance is created. Would it be possible for you
> > > to
> > > > > > point
> > > > > > me out where it is done?
> > > > > >
> > > > > > Thank you.
> > > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> > > > > >
> > > > > > > Implementing a KeyStoreInstance manager is the way to go.
> > > > > > > Currently, the only way to configure it is to go to the JMX mbean
> > > > > > > associated
> > > > > > > with the servicemix-http component and change the
> > > > keystoreManagerName
> > > > > to
> > > > > > a
> > > > > > > new entry in the JNDI tree where you would put your own
> > > > > implementation.
> > > > > > > You'd also have to register it in the conf/jndi.xml configuration
> > > > > file.
> > > > > > > This is not very easy, so if you're fancy providing a patch to
> > > > > configure
> > > > > > > it
> > > > > > > on the endpoint directly, i'd be happy to apply it.
> > > > > > >
> > > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <sa...@gmail.com> wrote:
> > > > > > >
> > > > > > > > Hi.
> > > > > > > >
> > > > > > > > Thanks for the quick answer.
> > > > > > > >
> > > > > > > > I only retieve the certificate from the card, nothing else. I
> > > > think
> > > > > > the
> > > > > > > > easiest way of getting the certificate would be implementing a
> > > > > custom
> > > > > > > > KeyStoreInstance but I can't find the place in the configuration
> > > > of
> > > > > > the
> > > > > > > > servicemix-http component where to tell ServiceMix to use it. I
> > > > > > suppose
> > > > > > > it
> > > > > > > > should be in one of the sslParameters, but I don't know which
> > > one.
> > > > > > > >
> > > > > > > > The other possibility would be to subclass the servicemix-http,
> > > > but
> > > > > I
> > > > > > > > think
> > > > > > > > the easy solution would be the one explained on the paragraph
> > > > above.
> > > > > > > >
> > > > > > > > Would it be possible to implement my custom KeystoreInstance or
> > > > > should
> > > > > > I
> > > > > > > > be
> > > > > > > > thinking of subclassing the component?
> > > > > > > >
> > > > > > > > Best regards.
> > > > > > > >
> > > > > > > > Sebastian Gomez
> > > > > > > >
> > > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <gn...@gmail.com>
> > > wrote:
> > > > > > > >
> > > > > > > > > I'm not aware of anything done on this subject.
> > > > > > > > > What kind of data do you retrieve from the smartcard and how ?
> > > > > > > > > Do you simply retrieve the certificate ?
> > > > > > > > > servicemix-http uses an abstraction on top of a keystore so
> > > you
> > > > > may
> > > > > > be
> > > > > > > > > able to implement you own that would delegate calls to the
> > > > > smartcard
> > > > > > > > > somehow.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup
> > > > > > > > >
> > > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <sa...@gmail.com>
> > > wrote:
> > > > > > > > >
> > > > > > > > > > Hello.
> > > > > > > > > >
> > > > > > > > > > I need to access a web service secured with WS-Security
> > > using
> > > > a
> > > > > > > Smart
> > > > > > > > > > Card.
> > > > > > > > > > If I had the security certificate in local, I know I could
> > > set
> > > > > the
> > > > > > > > > > http:sslParameters with the path of the keystore and its
> > > > > keystore
> > > > > > > > > > password,
> > > > > > > > > > but this is not the case.
> > > > > > > > > >
> > > > > > > > > > I suppose I will have to extend either servicemix-http or
> > > > > > > > servicemix-cxf
> > > > > > > > > > to
> > > > > > > > > > support reading smart cards, but I don't know if there is an
> > > > > > easier
> > > > > > > > > > workaround.
> > > > > > > > > >
> > > > > > > > > > Is there anything similar already implemented? If not, I
> > > would
> > > > > > > > > appreciate
> > > > > > > > > > any kind of indication as to what would be the best way to
> > > > solve
> > > > > > > this
> > > > > > > > > > problem.
> > > > > > > > > >
> > > > > > > > > > Best regards.
> > > > > > > > > >
> > > > > > > > > > Sebastian Gomez
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Cheers,
> > > > > > > > > Guillaume Nodet
> > > > > > > > > ------------------------
> > > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Guillaume Nodet
> > > > > > > ------------------------
> > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Guillaume Nodet
> > > > > ------------------------
> > > > > Blog: http://gnodet.blogspot.com/
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Cheers,
> > > Guillaume Nodet
> > > ------------------------
> > > Blog: http://gnodet.blogspot.com/
> > >
> >
>
>
>
> --
>
>
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
Re: Accesing WS-Security with Smart Card
Posted by Guillaume Nodet <gn...@gmail.com>.
For SSL, I think the key methods are:
KeyStoreInstance#getKeyManager
KeyStoreInstance#getTrustManager
Take a look at createSSLServerFactory method in BaseKeystoreManager as this is
the one that creates the SSL socket using the two methods above.
At the end, you may have to implement the following interfaces:
javax.net.ssl.X509TrustManager
javax.net.ssl.X509KeyManager
and return your own instances of these interfaces in the two methods
mentioned above.
On Thu, Feb 21, 2008 at 11:40 AM, Sebastian Gomez <sa...@gmail.com> wrote:
> Hello.
>
> I've been very busy these last weeks therefore I haven't been able to start
> implementing my patch until now. I made the changes recommended (for which I
> thank you a lot) but I have come up to a new problem. I'm not sure of the
> scale of the problem, because I'm not sure if I have configured the
> SSLSocket correctly (mostly because of my quite limited knowledge on SSL
> security). I'll tell you what the problem is and lets hope you know where I
> should be aiming to solve it:
>
> First of all I created a CustomKeystoreManager and a CustomKeystoreInstance
> class. Then, in the HttpEndpoint I instantiate them in the
> getKeystoreManager() method. They seem to work fine until the
> SSLSocketFactory is created, because when it sends the message, a
> HandshakeException is thrown. Debugging I have seen that the
> CustomKeystoreInstance.getCertificate(String alias) method is never called,
> so obviously, without the Certificate, the message exchange is never going
> to work. After that, I undid all my changes to see where a normal message
> exchange using a file certificate (*.p12 and *.jks) calls the
> FileKeystoreInstance.getCertificate(String alias) method, but it doesn't
> seem to do it! So my idea of implementing a new getCertificate() method
> looks like it would not work.
>
> Do you have any idea when and where the Certificates are read (i.e the call
> to getCertificate() or getCertificateChain())? Should I be doing something
> with the certificate before initializing the SSLContext in the
> CustomKeystoreManager.createSSLServerFactory method?
>
> Please help. this problem is blocking my progress in my project. Thanks in
> advance.
>
> Sebastian Gomez.
>
>
> On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <gn...@gmail.com> wrote:
>
> > On Jan 23, 2008 6:42 PM, Sebastian Gomez <sa...@gmail.com> wrote:
> >
> > > Hello again.
> > >
> > > First of all, thanks a lot for helping me resolve this problem I've
> > > encountered.
> > >
> > > I've been trying to locate the part of the code where I should start
> > > implementing my patch but I haven't decided yet. I agree with you on
> > > modifying the getKeystoreManager() method from HttpEndpoint, but I think
> > I
> > > should rewrite the method instead of overriding it (I understand
> > > overriding
> > > would mean creating a new class extending HttpEndpoint). Do you think my
> > > assumption is correct or do you really think I should create a new
> > class?
> >
> >
> > Rewriting is the way to go
> >
> > >
> > >
> > > I've thought on the idea of adding a KeystoreManager field to the
> > > HttpEndpoint. My idea would be to add a new sslParameter in the
> > > xbean.xmlfile, but that would mean modifying the
> > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing this would
> > > allow me to do something like "if (this.getSsl().getKeyStoreManager() ==
> > > null)" in the getKeystoreManager() method. Returning "true" would mean
> > the
> > > parameter has not been specified, so I would let the HttpComponent be
> > > initialized as it has been done until now, but returning "false" would
> > > mean creating and returning a new instance of the specified
> > > KeystoreManager.
> > > Does this make sense to you, or am I missing something out?
> >
> >
> > Yeah, definitely. The servicemix-http schema is generated automatically
> > from the
> > java source code, so adding a getter to the SslParams class will do the
> > trick.
> >
> >
> > >
> > >
> > > Best regards.
> > >
> > > Sebastian Gomez.
> > >
> > >
> > >
> > >
> > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> > >
> > > > I think the easiest way would be to add a KeystoreManager field on the
> > > > HttpEndpoint and override
> > > > the getKeystoreManager() method from HttpEndpoint [1].
> > > > It doesn't seem you actually need to work with the HttpComponent or
> > > > HttpConfiguration directly.
> > > >
> > > > FYI, the defaut KeystoreManager is retrieved from the HttpComponent in
> > > the
> > > > doInit() method [2].
> > > >
> > > > Hopes this helps,
> > > >
> > > > [1]
> > > >
> > > >
> > >
> > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup
> > > > [2]
> > > >
> > > >
> > >
> > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup
> > > >
> > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <sa...@gmail.com> wrote:
> > > >
> > > > > Hi.
> > > > >
> > > > > I have decided to create the patch to configure the KeyStoreInstance
> > > > > directly on the endpoint, and I would be willing to share it, but I
> > > > think
> > > > > I
> > > > > will need a little orientation. I've been trying to trace
> > > > > the initialization of the http-component, but I haven't been able to
> > > > find
> > > > > where the KeystoreInstance is created. Would it be possible for you
> > to
> > > > > point
> > > > > me out where it is done?
> > > > >
> > > > > Thank you.
> > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <gn...@gmail.com> wrote:
> > > > >
> > > > > > Implementing a KeyStoreInstance manager is the way to go.
> > > > > > Currently, the only way to configure it is to go to the JMX mbean
> > > > > > associated
> > > > > > with the servicemix-http component and change the
> > > keystoreManagerName
> > > > to
> > > > > a
> > > > > > new entry in the JNDI tree where you would put your own
> > > > implementation.
> > > > > > You'd also have to register it in the conf/jndi.xml configuration
> > > > file.
> > > > > > This is not very easy, so if you're fancy providing a patch to
> > > > configure
> > > > > > it
> > > > > > on the endpoint directly, i'd be happy to apply it.
> > > > > >
> > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <sa...@gmail.com> wrote:
> > > > > >
> > > > > > > Hi.
> > > > > > >
> > > > > > > Thanks for the quick answer.
> > > > > > >
> > > > > > > I only retieve the certificate from the card, nothing else. I
> > > think
> > > > > the
> > > > > > > easiest way of getting the certificate would be implementing a
> > > > custom
> > > > > > > KeyStoreInstance but I can't find the place in the configuration
> > > of
> > > > > the
> > > > > > > servicemix-http component where to tell ServiceMix to use it. I
> > > > > suppose
> > > > > > it
> > > > > > > should be in one of the sslParameters, but I don't know which
> > one.
> > > > > > >
> > > > > > > The other possibility would be to subclass the servicemix-http,
> > > but
> > > > I
> > > > > > > think
> > > > > > > the easy solution would be the one explained on the paragraph
> > > above.
> > > > > > >
> > > > > > > Would it be possible to implement my custom KeystoreInstance or
> > > > should
> > > > > I
> > > > > > > be
> > > > > > > thinking of subclassing the component?
> > > > > > >
> > > > > > > Best regards.
> > > > > > >
> > > > > > > Sebastian Gomez
> > > > > > >
> > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <gn...@gmail.com>
> > wrote:
> > > > > > >
> > > > > > > > I'm not aware of anything done on this subject.
> > > > > > > > What kind of data do you retrieve from the smartcard and how ?
> > > > > > > > Do you simply retrieve the certificate ?
> > > > > > > > servicemix-http uses an abstraction on top of a keystore so
> > you
> > > > may
> > > > > be
> > > > > > > > able to implement you own that would delegate calls to the
> > > > smartcard
> > > > > > > > somehow.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup
> > > > > > > >
> > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <sa...@gmail.com>
> > wrote:
> > > > > > > >
> > > > > > > > > Hello.
> > > > > > > > >
> > > > > > > > > I need to access a web service secured with WS-Security
> > using
> > > a
> > > > > > Smart
> > > > > > > > > Card.
> > > > > > > > > If I had the security certificate in local, I know I could
> > set
> > > > the
> > > > > > > > > http:sslParameters with the path of the keystore and its
> > > > keystore
> > > > > > > > > password,
> > > > > > > > > but this is not the case.
> > > > > > > > >
> > > > > > > > > I suppose I will have to extend either servicemix-http or
> > > > > > > servicemix-cxf
> > > > > > > > > to
> > > > > > > > > support reading smart cards, but I don't know if there is an
> > > > > easier
> > > > > > > > > workaround.
> > > > > > > > >
> > > > > > > > > Is there anything similar already implemented? If not, I
> > would
> > > > > > > > appreciate
> > > > > > > > > any kind of indication as to what would be the best way to
> > > solve
> > > > > > this
> > > > > > > > > problem.
> > > > > > > > >
> > > > > > > > > Best regards.
> > > > > > > > >
> > > > > > > > > Sebastian Gomez
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Cheers,
> > > > > > > > Guillaume Nodet
> > > > > > > > ------------------------
> > > > > > > > Blog: http://gnodet.blogspot.com/
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Guillaume Nodet
> > > > > > ------------------------
> > > > > > Blog: http://gnodet.blogspot.com/
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Guillaume Nodet
> > > > ------------------------
> > > > Blog: http://gnodet.blogspot.com/
> > > >
> > >
> >
> >
> >
> > --
> > Cheers,
> > Guillaume Nodet
> > ------------------------
> > Blog: http://gnodet.blogspot.com/
> >
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/