You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by adam_j_bradley <ad...@yahoo.com> on 2008/04/13 09:59:13 UTC

Q: WS-Security X.509 Certificate Token Profile

After finally working out the remote web service required the use of the
WS-Security X.509 Certificate Token Profile (duh!) I've been eagerly trying
to find a working example. 

I have found
http://www.nabble.com/client-SSL-question-td15564062.html#a15769013 - thanks
Khaled! - which describes which covers off the use of the USERNAME_TOKEN but
not the use of an X.509 Certificate. I did a bit of digging around in the
test cases for both CXF and WSS4J and I'm sure there's an example there, but
I couldn't find it.

Any help/advice greatly appreciated.

Thanks in advance.
Adam
-- 
View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16656740.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Q: WS-Security X.509 Certificate Token Profile

Posted by Fred Dushin <fr...@dushin.net>.

Even this?

     <!-- -->
     <!-- This bean is an Out interceptor which will add a Timestamp,  
-->
     <!-- sign the Timstamp and Body, and then encrypt the Timestamp -->
     <!-- and Body.  It uses 3DES as the symmetric key algorithm. -->
     <!-- -->
     <bean
         class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
         id="TimestampSignEncrypt_Request">
         <constructor-arg>
             <map>
                 <entry key="action" value="Timestamp Signature  
Encrypt"/>
                 <!-- <entry key="action" value="Timestamp Signature"/ 
 > -->
                 <entry key="user" value="alice"/>
                 <entry key="signaturePropFile" value="org/apache/cxf/ 
systest/ws/security/alice.properties"/>
                 <entry key="encryptionPropFile" value="org/apache/cxf/ 
systest/ws/security/bob.properties"/>
                 <entry key="encryptionUser" value="Bob"/>
                 <entry key="signatureKeyIdentifier"  
value="DirectReference"/>
                 <entry key="passwordCallbackClass"  
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>
                 <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd 
}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                 <!-- -->
                 <!-- Recommendation: signatures should be encrypted -->
                 <!-- -->
                 <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig# 
}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                 <!-- <entry key="encryptionKeyTransportAlgorithm"  
value="RSA15"/> -->
                 <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc 
"/>
             </map>
         </constructor-arg>
     </bean>

     <!-- -->
     <!-- This bean is an In interceptor which validated a signed, -->
     <!-- encrypted resposne, and timestamped. -->
     <!-- -->
     <!-- -->
     <bean
         class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
         id="TimestampSignEncrypt_Response">
         <constructor-arg>
             <map>
                 <entry key="action" value="Timestamp Signature  
Encrypt"/>
                 <entry key="signaturePropFile" value="org/apache/cxf/ 
systest/ws/security/bob.properties"/>
                 <entry key="decryptionPropFile" value="org/apache/cxf/ 
systest/ws/security/alice.properties"/>
                 <entry key="passwordCallbackClass"  
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>
             </map>
         </constructor-arg>
     </bean>


On Apr 14, 2008, at 2:51 AM, adam_j_bradley wrote:
>
> Fred,
>
> Thanks for the tip. Forgive me (I'm most likely wrong!) but that  
> looked like
> a Username token not an X.509 token request. I've been digging  
> around in
> http://xfire.codehaus.org/WS-Security but I can't see any wisdom  
> there.
>
> Anything else?
> :)
>
> Sincerely,
> Ada
>
>
>
> Fred Dushin-3 wrote:
>>
>> All I can recommend is that you have a look at the WS-Security system
>> test in CXF:
>>
>> http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/
>>
>> It's based loosely off a WS-Security interoperability scenario with
>> WCF, and uses signature with the DirectReference method, which will
>> send the client's X.509 certificate directly in the SOAP header.
>>
>
> -- 
> View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16671272.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>

Re: Q: WS-Security X.509 Certificate Token Profile

Posted by adam_j_bradley <ad...@yahoo.com>.

Fred,

Thanks for the tip. Forgive me (I'm most likely wrong!) but that looked like
a Username token not an X.509 token request. I've been digging around in
http://xfire.codehaus.org/WS-Security but I can't see any wisdom there.

Anything else?
:)

Sincerely,
Ada



Fred Dushin-3 wrote:
> 
> All I can recommend is that you have a look at the WS-Security system  
> test in CXF:
> 
> http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/
> 
> It's based loosely off a WS-Security interoperability scenario with  
> WCF, and uses signature with the DirectReference method, which will  
> send the client's X.509 certificate directly in the SOAP header.
> 

-- 
View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16671272.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Q: WS-Security X.509 Certificate Token Profile

Posted by Fred Dushin <fr...@dushin.net>.

All I can recommend is that you have a look at the WS-Security system  
test in CXF:

http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/

It's based loosely off a WS-Security interoperability scenario with  
WCF, and uses signature with the DirectReference method, which will  
send the client's X.509 certificate directly in the SOAP header.

-Fred

On Apr 13, 2008, at 3:59 AM, adam_j_bradley wrote:
>
> After finally working out the remote web service required the use of  
> the
> WS-Security X.509 Certificate Token Profile (duh!) I've been eagerly  
> trying
> to find a working example.
>
> I have found
> http://www.nabble.com/client-SSL-question-td15564062.html#a15769013  
> - thanks
> Khaled! - which describes which covers off the use of the  
> USERNAME_TOKEN but
> not the use of an X.509 Certificate. I did a bit of digging around  
> in the
> test cases for both CXF and WSS4J and I'm sure there's an example  
> there, but
> I couldn't find it.
>
> Any help/advice greatly appreciated.
>
> Thanks in advance.
> Adam
> -- 
> View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16656740.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>