You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by adam_j_bradley <ad...@yahoo.com> on 2008/04/13 09:59:13 UTC
Q: WS-Security X.509 Certificate Token Profile
After finally working out the remote web service required the use of the
WS-Security X.509 Certificate Token Profile (duh!) I've been eagerly trying
to find a working example.
I have found
http://www.nabble.com/client-SSL-question-td15564062.html#a15769013 - thanks
Khaled! - which describes which covers off the use of the USERNAME_TOKEN but
not the use of an X.509 Certificate. I did a bit of digging around in the
test cases for both CXF and WSS4J and I'm sure there's an example there, but
I couldn't find it.
Any help/advice greatly appreciated.
Thanks in advance.
Adam
--
View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16656740.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Q: WS-Security X.509 Certificate Token Profile
Posted by Fred Dushin <fr...@dushin.net>.
Even this?
<!-- -->
<!-- This bean is an Out interceptor which will add a Timestamp,
-->
<!-- sign the Timstamp and Body, and then encrypt the Timestamp -->
<!-- and Body. It uses 3DES as the symmetric key algorithm. -->
<!-- -->
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="TimestampSignEncrypt_Request">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<!-- <entry key="action" value="Timestamp Signature"/
> -->
<entry key="user" value="alice"/>
<entry key="signaturePropFile" value="org/apache/cxf/
systest/ws/security/alice.properties"/>
<entry key="encryptionPropFile" value="org/apache/cxf/
systest/ws/security/bob.properties"/>
<entry key="encryptionUser" value="Bob"/>
<entry key="signatureKeyIdentifier"
value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<!-- -->
<!-- Recommendation: signatures should be encrypted -->
<!-- -->
<entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#
}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<!-- <entry key="encryptionKeyTransportAlgorithm"
value="RSA15"/> -->
<entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc
"/>
</map>
</constructor-arg>
</bean>
<!-- -->
<!-- This bean is an In interceptor which validated a signed, -->
<!-- encrypted resposne, and timestamped. -->
<!-- -->
<!-- -->
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="TimestampSignEncrypt_Response">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="signaturePropFile" value="org/apache/cxf/
systest/ws/security/bob.properties"/>
<entry key="decryptionPropFile" value="org/apache/cxf/
systest/ws/security/alice.properties"/>
<entry key="passwordCallbackClass"
value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
On Apr 14, 2008, at 2:51 AM, adam_j_bradley wrote:
>
> Fred,
>
> Thanks for the tip. Forgive me (I'm most likely wrong!) but that
> looked like
> a Username token not an X.509 token request. I've been digging
> around in
> http://xfire.codehaus.org/WS-Security but I can't see any wisdom
> there.
>
> Anything else?
> :)
>
> Sincerely,
> Ada
>
>
>
> Fred Dushin-3 wrote:
>>
>> All I can recommend is that you have a look at the WS-Security system
>> test in CXF:
>>
>> http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/
>>
>> It's based loosely off a WS-Security interoperability scenario with
>> WCF, and uses signature with the DirectReference method, which will
>> send the client's X.509 certificate directly in the SOAP header.
>>
>
> --
> View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16671272.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Q: WS-Security X.509 Certificate Token Profile
Posted by adam_j_bradley <ad...@yahoo.com>.
Fred,
Thanks for the tip. Forgive me (I'm most likely wrong!) but that looked like
a Username token not an X.509 token request. I've been digging around in
http://xfire.codehaus.org/WS-Security but I can't see any wisdom there.
Anything else?
:)
Sincerely,
Ada
Fred Dushin-3 wrote:
>
> All I can recommend is that you have a look at the WS-Security system
> test in CXF:
>
> http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/
>
> It's based loosely off a WS-Security interoperability scenario with
> WCF, and uses signature with the DirectReference method, which will
> send the client's X.509 certificate directly in the SOAP header.
>
--
View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16671272.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Q: WS-Security X.509 Certificate Token Profile
Posted by Fred Dushin <fr...@dushin.net>.
All I can recommend is that you have a look at the WS-Security system
test in CXF:
http://svn.apache.org/repos/asf/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/
It's based loosely off a WS-Security interoperability scenario with
WCF, and uses signature with the DirectReference method, which will
send the client's X.509 certificate directly in the SOAP header.
-Fred
On Apr 13, 2008, at 3:59 AM, adam_j_bradley wrote:
>
> After finally working out the remote web service required the use of
> the
> WS-Security X.509 Certificate Token Profile (duh!) I've been eagerly
> trying
> to find a working example.
>
> I have found
> http://www.nabble.com/client-SSL-question-td15564062.html#a15769013
> - thanks
> Khaled! - which describes which covers off the use of the
> USERNAME_TOKEN but
> not the use of an X.509 Certificate. I did a bit of digging around
> in the
> test cases for both CXF and WSS4J and I'm sure there's an example
> there, but
> I couldn't find it.
>
> Any help/advice greatly appreciated.
>
> Thanks in advance.
> Adam
> --
> View this message in context: http://www.nabble.com/Q%3A-WS-Security-X.509-Certificate-Token-Profile-tp16656740p16656740.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>