You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Martin Nielsen <mn...@gmail.com> on 2015/03/06 10:36:14 UTC
Alternative key sources using asymmetric security?
Looking at WS-Security asymmetric encryption, i was wondering if it is
possible in some way to configure CXF to look somewhere else than a java
keystore for the key information.
Say that you have a case where you need to add web services to an
application that already has a public key for all it's users in a database,
for example. Would it be possible to have CXF look for a public key in the
database instead of a keystore?
-Martin
RE: Alternative key sources using asymmetric security?
Posted by Andrei Shakirin <as...@talend.com>.
Hi Martin,
You can start/deploy XKMS service either in web container (xkms-war component) or in OSGi (xkms-osgi component). It is "normal" SOAP service.
CXF provides file system based (default) and LDAP backends implementation for XKMS.
To integrate XKMS in your application you need to configure SOAP XKMS client, inject it into XkmsCryptoProvider and use this Crypto provider instead keystore-based Merlin.
The best way to understand how it works is looking into system test:
https://github.com/apache/cxf/tree/master/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/xkms
with configuration:
https://github.com/apache/cxf/tree/master/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/xkms
For OSGi deployment, please take a look into itests: https://github.com/apache/cxf/tree/master/services/xkms/xkms-itests
You can find some additional information in my blogs:
http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html
http://ashakirin.blogspot.de/2013/07/cxf-security-integrate-pki-to-security.html
Regards,
Andrei.
> -----Original Message-----
> From: Martin Nielsen [mailto:mnybon@gmail.com]
> Sent: Sonntag, 8. März 2015 22:28
> To: users@cxf.apache.org
> Subject: Re: Alternative key sources using asymmetric security?
>
> One more question: Concerning XKMS.
> I am having a hard time finding a tutorial or documentation of how to add the
> XKMS service into an application. I found a list of XKMS artifacts, but i have yet
> to find something that describes how to actually use the the service in context.
> Do you have any good material on that?
>
> On Sun, Mar 8, 2015 at 12:21 AM, Martin Nielsen <mn...@gmail.com>
> wrote:
>
> > I want the key or alias passed through to the method body.
> > I have a case where a key infrastructure is already in place, and the
> > public key og the sender is used for further evaluation in the backend.
> > If i can get the alias or key for the caller passed to the method on
> > the backend, then i can use that key to authenticate the user without
> > the need for further user credentials.
> >
> > So i would like something along the lines of:
> > @webservice
> > public interface SEI{
> > public ReturnVal doStuff(String/PublicKey alias, Object inVal) ...
> >
> > Where alias is provided by the CXF runtime, and not visible to the
> > WSDL or client..
> > If i have to pick it out of the interceptor chain or something, thats
> > fine too, i am not picky.
> >
> > Thanks for the sustained interest:)
> > On 7 Mar 2015 20:34, "Andrei Shakirin" <as...@talend.com> wrote:
> >
> >> Hi Martin,
> >>
> >> I assume you would like to get client certificate on the service side
> >> to use it for encryption of response, correct?
> >> If yes, I would first of all evaluate using of "useReqSigCert"
> >> constant as value of in "ws-security.encryption.username" property on
> >> the server side.
> >> In this case service will extract client certificate from request and
> >> use it to encrypt the response. This approach is very convenient on
> >> the server side to encrypt responses for different clients. In this
> >> case you don't need to lookup client certificate on server side at
> >> all, service will get certificate and proceed encryption automatically.
> >> Is this close to your question? If not, please elaborate your use
> >> case a bit more.
> >>
> >> Regards,
> >> Andrei.
> >>
> >> > -----Original Message-----
> >> > From: Martin Nielsen [mailto:mnybon@gmail.com]
> >> > Sent: Samstag, 7. März 2015 13:32
> >> > To: users@cxf.apache.org
> >> > Subject: RE: Alternative key sources using asymmetric security?
> >> >
> >> > Great!
> >> >
> >> > I will get right on that..
> >> > As a bonus question, i was wondering, is it possible to make
> >> > either
> >> the calling
> >> > public key or alias (or anything that uniquely identifies the key)
> >> available to the
> >> > method being invoked by CXF when the client calls a service?
> >> > Optimally, i would like it defined as a method parameter, but im
> >> > not
> >> picky.
> >> >
> >> > And thank you :)
> >> > On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
> >> >
> >> > > Hi Martin,
> >> > >
> >> > > Yes, for sure. You need to provide own implementation of WSS4J
> >> > > Crypto interface.
> >> > > Btw CXF supports XKMS standard to get public keys as alternative
> >> > > to keystore.
> >> > > You can take this either as example of Crypto implementation:
> >> > >
> >> https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/s
> >> r
> >> > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvide
> >> > > r.jav
> >> > > a
> >> > >
> >> > > or use XKMS service to manage your certificates:
> >> > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> >> > >
> >> > > Regards,
> >> > > Andrei.
> >> > >
> >> > >
> >> > > > -----Original Message-----
> >> > > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> >> > > > Sent: Freitag, 6. März 2015 10:36
> >> > > > To: users@cxf.apache.org
> >> > > > Subject: Alternative key sources using asymmetric security?
> >> > > >
> >> > > > Looking at WS-Security asymmetric encryption, i was wondering
> >> > > > if it is
> >> > > possible
> >> > > > in some way to configure CXF to look somewhere else than a java
> >> > > > keystore
> >> > > for
> >> > > > the key information.
> >> > > >
> >> > > > Say that you have a case where you need to add web services to
> >> > > > an
> >> > > application
> >> > > > that already has a public key for all it's users in a database,
> >> > > > for
> >> > > example. Would
> >> > > > it be possible to have CXF look for a public key in the
> >> > > > database instead
> >> > > of a
> >> > > > keystore?
> >> > > >
> >> > > > -Martin
> >> > >
> >>
> >
Re: Alternative key sources using asymmetric security?
Posted by Martin Nielsen <mn...@gmail.com>.
One more question: Concerning XKMS.
I am having a hard time finding a tutorial or documentation of how to add
the XKMS service into an application. I found a list of XKMS artifacts, but
i have yet to find something that describes how to actually use the the
service in context. Do you have any good material on that?
On Sun, Mar 8, 2015 at 12:21 AM, Martin Nielsen <mn...@gmail.com> wrote:
> I want the key or alias passed through to the method body.
> I have a case where a key infrastructure is already in place, and the
> public key og the sender is used for further evaluation in the backend.
> If i can get the alias or key for the caller passed to the method on the
> backend, then i can use that key to authenticate the user without the need
> for further user credentials.
>
> So i would like something along the lines of:
> @webservice
> public interface SEI{
> public ReturnVal doStuff(String/PublicKey alias, Object inVal)
> ...
>
> Where alias is provided by the CXF runtime, and not visible to the WSDL
> or client..
> If i have to pick it out of the interceptor chain or something, thats
> fine too, i am not picky.
>
> Thanks for the sustained interest:)
> On 7 Mar 2015 20:34, "Andrei Shakirin" <as...@talend.com> wrote:
>
>> Hi Martin,
>>
>> I assume you would like to get client certificate on the service side to
>> use it for encryption of response, correct?
>> If yes, I would first of all evaluate using of "useReqSigCert" constant
>> as value of in "ws-security.encryption.username" property on the server
>> side.
>> In this case service will extract client certificate from request and use
>> it to encrypt the response. This approach is very convenient on the server
>> side to encrypt responses for different clients. In this case you don't
>> need to lookup client certificate on server side at all, service will get
>> certificate and proceed encryption automatically.
>> Is this close to your question? If not, please elaborate your use case a
>> bit more.
>>
>> Regards,
>> Andrei.
>>
>> > -----Original Message-----
>> > From: Martin Nielsen [mailto:mnybon@gmail.com]
>> > Sent: Samstag, 7. März 2015 13:32
>> > To: users@cxf.apache.org
>> > Subject: RE: Alternative key sources using asymmetric security?
>> >
>> > Great!
>> >
>> > I will get right on that..
>> > As a bonus question, i was wondering, is it possible to make either
>> the calling
>> > public key or alias (or anything that uniquely identifies the key)
>> available to the
>> > method being invoked by CXF when the client calls a service?
>> > Optimally, i would like it defined as a method parameter, but im not
>> picky.
>> >
>> > And thank you :)
>> > On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
>> >
>> > > Hi Martin,
>> > >
>> > > Yes, for sure. You need to provide own implementation of WSS4J Crypto
>> > > interface.
>> > > Btw CXF supports XKMS standard to get public keys as alternative to
>> > > keystore.
>> > > You can take this either as example of Crypto implementation:
>> > >
>> https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/sr
>> > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider.jav
>> > > a
>> > >
>> > > or use XKMS service to manage your certificates:
>> > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
>> > >
>> > > Regards,
>> > > Andrei.
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Martin Nielsen [mailto:mnybon@gmail.com]
>> > > > Sent: Freitag, 6. März 2015 10:36
>> > > > To: users@cxf.apache.org
>> > > > Subject: Alternative key sources using asymmetric security?
>> > > >
>> > > > Looking at WS-Security asymmetric encryption, i was wondering if it
>> > > > is
>> > > possible
>> > > > in some way to configure CXF to look somewhere else than a java
>> > > > keystore
>> > > for
>> > > > the key information.
>> > > >
>> > > > Say that you have a case where you need to add web services to an
>> > > application
>> > > > that already has a public key for all it's users in a database, for
>> > > example. Would
>> > > > it be possible to have CXF look for a public key in the database
>> > > > instead
>> > > of a
>> > > > keystore?
>> > > >
>> > > > -Martin
>> > >
>>
>
Re: Alternative key sources using asymmetric security?
Posted by Martin Nielsen <mn...@gmail.com>.
Thank you very much for your help:)
On Mon, Mar 9, 2015 at 3:23 PM, Andrei Shakirin <as...@talend.com>
wrote:
> Hi Martin,
>
> I don't think it is really good idea to extend business service interface
> with certificate.
> You can extract client certificate used for request signature either in
> interceptor or from your business code using WebServiceContext.
> Code will look like:
>
> List<WSHandlerResult> results =
> CastUtils.cast((List<?>)
> message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS));
> if (results != null) {
> X509Certificate cert = getReqSigCert(results);
> }
>
> private static X509Certificate getReqSigCert(List<WSHandlerResult>
> results) {
> /*
> * Scan the results for a matching actor. Use results only if the
> * receiving Actor and the sending Actor match.
> */
> for (WSHandlerResult rResult : results) {
> List<WSSecurityEngineResult> wsSecEngineResults =
> rResult.getResults();
> /*
> * Scan the results for the first Signature action. Use the
> * certificate of this Signature to set the certificate for the
> * encryption action :-).
> */
> for (WSSecurityEngineResult wser : wsSecEngineResults) {
> Integer actInt =
> (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
> if (actInt.intValue() == WSConstants.SIGN) {
> return
> (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
> }
> }
> }
> return null;
> }
>
> It is copy&paste from
> https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
> .
>
> I would suggest to extract certificate in your own interceptor, just care
> that this interceptor is called after WSS4J in incoming chain.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > Sent: Sonntag, 8. März 2015 00:22
> > To: users@cxf.apache.org
> > Subject: RE: Alternative key sources using asymmetric security?
> >
> > I want the key or alias passed through to the method body.
> > I have a case where a key infrastructure is already in place, and the
> public key
> > og the sender is used for further evaluation in the backend.
> > If i can get the alias or key for the caller passed to the method on the
> backend,
> > then i can use that key to authenticate the user without the need for
> further
> > user credentials.
> >
> > So i would like something along the lines of:
> > @webservice
> > public interface SEI{
> > public ReturnVal doStuff(String/PublicKey alias, Object inVal) ...
> >
> > Where alias is provided by the CXF runtime, and not visible to the WSDL
> or
> > client..
> > If i have to pick it out of the interceptor chain or something, thats
> fine too, i
> > am not picky.
> >
> > Thanks for the sustained interest:)
> > On 7 Mar 2015 20:34, "Andrei Shakirin" <as...@talend.com> wrote:
> >
> > > Hi Martin,
> > >
> > > I assume you would like to get client certificate on the service side
> > > to use it for encryption of response, correct?
> > > If yes, I would first of all evaluate using of "useReqSigCert"
> > > constant as value of in "ws-security.encryption.username" property on
> the
> > server side.
> > > In this case service will extract client certificate from request and
> > > use it to encrypt the response. This approach is very convenient on
> > > the server side to encrypt responses for different clients. In this
> > > case you don't need to lookup client certificate on server side at
> > > all, service will get certificate and proceed encryption automatically.
> > > Is this close to your question? If not, please elaborate your use case
> > > a bit more.
> > >
> > > Regards,
> > > Andrei.
> > >
> > > > -----Original Message-----
> > > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > > > Sent: Samstag, 7. März 2015 13:32
> > > > To: users@cxf.apache.org
> > > > Subject: RE: Alternative key sources using asymmetric security?
> > > >
> > > > Great!
> > > >
> > > > I will get right on that..
> > > > As a bonus question, i was wondering, is it possible to make
> > > > either
> > > the calling
> > > > public key or alias (or anything that uniquely identifies the key)
> > > available to the
> > > > method being invoked by CXF when the client calls a service?
> > > > Optimally, i would like it defined as a method parameter, but im
> > > > not
> > > picky.
> > > >
> > > > And thank you :)
> > > > On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
> > > >
> > > > > Hi Martin,
> > > > >
> > > > > Yes, for sure. You need to provide own implementation of WSS4J
> > > > > Crypto interface.
> > > > > Btw CXF supports XKMS standard to get public keys as alternative
> > > > > to keystore.
> > > > > You can take this either as example of Crypto implementation:
> > > > > https://github.com/apache/cxf/blob/master/services/xkms/xkms-clien
> > > > > t/sr
> > > > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider
> > > > > .jav
> > > > > a
> > > > >
> > > > > or use XKMS service to manage your certificates:
> > > > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> > > > >
> > > > > Regards,
> > > > > Andrei.
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > > > > > Sent: Freitag, 6. März 2015 10:36
> > > > > > To: users@cxf.apache.org
> > > > > > Subject: Alternative key sources using asymmetric security?
> > > > > >
> > > > > > Looking at WS-Security asymmetric encryption, i was wondering if
> > > > > > it is
> > > > > possible
> > > > > > in some way to configure CXF to look somewhere else than a java
> > > > > > keystore
> > > > > for
> > > > > > the key information.
> > > > > >
> > > > > > Say that you have a case where you need to add web services to
> > > > > > an
> > > > > application
> > > > > > that already has a public key for all it's users in a database,
> > > > > > for
> > > > > example. Would
> > > > > > it be possible to have CXF look for a public key in the database
> > > > > > instead
> > > > > of a
> > > > > > keystore?
> > > > > >
> > > > > > -Martin
> > > > >
> > >
>
RE: Alternative key sources using asymmetric security?
Posted by Andrei Shakirin <as...@talend.com>.
Hi Martin,
I don't think it is really good idea to extend business service interface with certificate.
You can extract client certificate used for request signature either in interceptor or from your business code using WebServiceContext.
Code will look like:
List<WSHandlerResult> results =
CastUtils.cast((List<?>) message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
X509Certificate cert = getReqSigCert(results);
}
private static X509Certificate getReqSigCert(List<WSHandlerResult> results) {
/*
* Scan the results for a matching actor. Use results only if the
* receiving Actor and the sending Actor match.
*/
for (WSHandlerResult rResult : results) {
List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
/*
* Scan the results for the first Signature action. Use the
* certificate of this Signature to set the certificate for the
* encryption action :-).
*/
for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SIGN) {
return (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
}
}
}
return null;
}
It is copy&paste from https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java.
I would suggest to extract certificate in your own interceptor, just care that this interceptor is called after WSS4J in incoming chain.
Regards,
Andrei.
> -----Original Message-----
> From: Martin Nielsen [mailto:mnybon@gmail.com]
> Sent: Sonntag, 8. März 2015 00:22
> To: users@cxf.apache.org
> Subject: RE: Alternative key sources using asymmetric security?
>
> I want the key or alias passed through to the method body.
> I have a case where a key infrastructure is already in place, and the public key
> og the sender is used for further evaluation in the backend.
> If i can get the alias or key for the caller passed to the method on the backend,
> then i can use that key to authenticate the user without the need for further
> user credentials.
>
> So i would like something along the lines of:
> @webservice
> public interface SEI{
> public ReturnVal doStuff(String/PublicKey alias, Object inVal) ...
>
> Where alias is provided by the CXF runtime, and not visible to the WSDL or
> client..
> If i have to pick it out of the interceptor chain or something, thats fine too, i
> am not picky.
>
> Thanks for the sustained interest:)
> On 7 Mar 2015 20:34, "Andrei Shakirin" <as...@talend.com> wrote:
>
> > Hi Martin,
> >
> > I assume you would like to get client certificate on the service side
> > to use it for encryption of response, correct?
> > If yes, I would first of all evaluate using of "useReqSigCert"
> > constant as value of in "ws-security.encryption.username" property on the
> server side.
> > In this case service will extract client certificate from request and
> > use it to encrypt the response. This approach is very convenient on
> > the server side to encrypt responses for different clients. In this
> > case you don't need to lookup client certificate on server side at
> > all, service will get certificate and proceed encryption automatically.
> > Is this close to your question? If not, please elaborate your use case
> > a bit more.
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > > Sent: Samstag, 7. März 2015 13:32
> > > To: users@cxf.apache.org
> > > Subject: RE: Alternative key sources using asymmetric security?
> > >
> > > Great!
> > >
> > > I will get right on that..
> > > As a bonus question, i was wondering, is it possible to make
> > > either
> > the calling
> > > public key or alias (or anything that uniquely identifies the key)
> > available to the
> > > method being invoked by CXF when the client calls a service?
> > > Optimally, i would like it defined as a method parameter, but im
> > > not
> > picky.
> > >
> > > And thank you :)
> > > On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
> > >
> > > > Hi Martin,
> > > >
> > > > Yes, for sure. You need to provide own implementation of WSS4J
> > > > Crypto interface.
> > > > Btw CXF supports XKMS standard to get public keys as alternative
> > > > to keystore.
> > > > You can take this either as example of Crypto implementation:
> > > > https://github.com/apache/cxf/blob/master/services/xkms/xkms-clien
> > > > t/sr
> > > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider
> > > > .jav
> > > > a
> > > >
> > > > or use XKMS service to manage your certificates:
> > > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> > > >
> > > > Regards,
> > > > Andrei.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > > > > Sent: Freitag, 6. März 2015 10:36
> > > > > To: users@cxf.apache.org
> > > > > Subject: Alternative key sources using asymmetric security?
> > > > >
> > > > > Looking at WS-Security asymmetric encryption, i was wondering if
> > > > > it is
> > > > possible
> > > > > in some way to configure CXF to look somewhere else than a java
> > > > > keystore
> > > > for
> > > > > the key information.
> > > > >
> > > > > Say that you have a case where you need to add web services to
> > > > > an
> > > > application
> > > > > that already has a public key for all it's users in a database,
> > > > > for
> > > > example. Would
> > > > > it be possible to have CXF look for a public key in the database
> > > > > instead
> > > > of a
> > > > > keystore?
> > > > >
> > > > > -Martin
> > > >
> >
RE: Alternative key sources using asymmetric security?
Posted by Martin Nielsen <mn...@gmail.com>.
I want the key or alias passed through to the method body.
I have a case where a key infrastructure is already in place, and the
public key og the sender is used for further evaluation in the backend.
If i can get the alias or key for the caller passed to the method on the
backend, then i can use that key to authenticate the user without the need
for further user credentials.
So i would like something along the lines of:
@webservice
public interface SEI{
public ReturnVal doStuff(String/PublicKey alias, Object inVal)
...
Where alias is provided by the CXF runtime, and not visible to the WSDL or
client..
If i have to pick it out of the interceptor chain or something, thats fine
too, i am not picky.
Thanks for the sustained interest:)
On 7 Mar 2015 20:34, "Andrei Shakirin" <as...@talend.com> wrote:
> Hi Martin,
>
> I assume you would like to get client certificate on the service side to
> use it for encryption of response, correct?
> If yes, I would first of all evaluate using of "useReqSigCert" constant as
> value of in "ws-security.encryption.username" property on the server side.
> In this case service will extract client certificate from request and use
> it to encrypt the response. This approach is very convenient on the server
> side to encrypt responses for different clients. In this case you don't
> need to lookup client certificate on server side at all, service will get
> certificate and proceed encryption automatically.
> Is this close to your question? If not, please elaborate your use case a
> bit more.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > Sent: Samstag, 7. März 2015 13:32
> > To: users@cxf.apache.org
> > Subject: RE: Alternative key sources using asymmetric security?
> >
> > Great!
> >
> > I will get right on that..
> > As a bonus question, i was wondering, is it possible to make either
> the calling
> > public key or alias (or anything that uniquely identifies the key)
> available to the
> > method being invoked by CXF when the client calls a service?
> > Optimally, i would like it defined as a method parameter, but im not
> picky.
> >
> > And thank you :)
> > On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
> >
> > > Hi Martin,
> > >
> > > Yes, for sure. You need to provide own implementation of WSS4J Crypto
> > > interface.
> > > Btw CXF supports XKMS standard to get public keys as alternative to
> > > keystore.
> > > You can take this either as example of Crypto implementation:
> > > https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/sr
> > > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider.jav
> > > a
> > >
> > > or use XKMS service to manage your certificates:
> > > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> > >
> > > Regards,
> > > Andrei.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > > > Sent: Freitag, 6. März 2015 10:36
> > > > To: users@cxf.apache.org
> > > > Subject: Alternative key sources using asymmetric security?
> > > >
> > > > Looking at WS-Security asymmetric encryption, i was wondering if it
> > > > is
> > > possible
> > > > in some way to configure CXF to look somewhere else than a java
> > > > keystore
> > > for
> > > > the key information.
> > > >
> > > > Say that you have a case where you need to add web services to an
> > > application
> > > > that already has a public key for all it's users in a database, for
> > > example. Would
> > > > it be possible to have CXF look for a public key in the database
> > > > instead
> > > of a
> > > > keystore?
> > > >
> > > > -Martin
> > >
>
RE: Alternative key sources using asymmetric security?
Posted by Andrei Shakirin <as...@talend.com>.
Hi Martin,
I assume you would like to get client certificate on the service side to use it for encryption of response, correct?
If yes, I would first of all evaluate using of "useReqSigCert" constant as value of in "ws-security.encryption.username" property on the server side.
In this case service will extract client certificate from request and use it to encrypt the response. This approach is very convenient on the server side to encrypt responses for different clients. In this case you don't need to lookup client certificate on server side at all, service will get certificate and proceed encryption automatically.
Is this close to your question? If not, please elaborate your use case a bit more.
Regards,
Andrei.
> -----Original Message-----
> From: Martin Nielsen [mailto:mnybon@gmail.com]
> Sent: Samstag, 7. März 2015 13:32
> To: users@cxf.apache.org
> Subject: RE: Alternative key sources using asymmetric security?
>
> Great!
>
> I will get right on that..
> As a bonus question, i was wondering, is it possible to make either the calling
> public key or alias (or anything that uniquely identifies the key) available to the
> method being invoked by CXF when the client calls a service?
> Optimally, i would like it defined as a method parameter, but im not picky.
>
> And thank you :)
> On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
>
> > Hi Martin,
> >
> > Yes, for sure. You need to provide own implementation of WSS4J Crypto
> > interface.
> > Btw CXF supports XKMS standard to get public keys as alternative to
> > keystore.
> > You can take this either as example of Crypto implementation:
> > https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/sr
> > c/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider.jav
> > a
> >
> > or use XKMS service to manage your certificates:
> > http://cxf.apache.org/docs/xml-key-management-service-xkms.html
> >
> > Regards,
> > Andrei.
> >
> >
> > > -----Original Message-----
> > > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > > Sent: Freitag, 6. März 2015 10:36
> > > To: users@cxf.apache.org
> > > Subject: Alternative key sources using asymmetric security?
> > >
> > > Looking at WS-Security asymmetric encryption, i was wondering if it
> > > is
> > possible
> > > in some way to configure CXF to look somewhere else than a java
> > > keystore
> > for
> > > the key information.
> > >
> > > Say that you have a case where you need to add web services to an
> > application
> > > that already has a public key for all it's users in a database, for
> > example. Would
> > > it be possible to have CXF look for a public key in the database
> > > instead
> > of a
> > > keystore?
> > >
> > > -Martin
> >
RE: Alternative key sources using asymmetric security?
Posted by Martin Nielsen <mn...@gmail.com>.
Great!
I will get right on that..
As a bonus question, i was wondering, is it possible to make either the
calling public key or alias (or anything that uniquely identifies the key)
available to the method being invoked by CXF when the client calls a
service?
Optimally, i would like it defined as a method parameter, but im not
picky.
And thank you :)
On 6 Mar 2015 18:11, "Andrei Shakirin" <as...@talend.com> wrote:
> Hi Martin,
>
> Yes, for sure. You need to provide own implementation of WSS4J Crypto
> interface.
> Btw CXF supports XKMS standard to get public keys as alternative to
> keystore.
> You can take this either as example of Crypto implementation:
> https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider.java
>
> or use XKMS service to manage your certificates:
> http://cxf.apache.org/docs/xml-key-management-service-xkms.html
>
> Regards,
> Andrei.
>
>
> > -----Original Message-----
> > From: Martin Nielsen [mailto:mnybon@gmail.com]
> > Sent: Freitag, 6. März 2015 10:36
> > To: users@cxf.apache.org
> > Subject: Alternative key sources using asymmetric security?
> >
> > Looking at WS-Security asymmetric encryption, i was wondering if it is
> possible
> > in some way to configure CXF to look somewhere else than a java keystore
> for
> > the key information.
> >
> > Say that you have a case where you need to add web services to an
> application
> > that already has a public key for all it's users in a database, for
> example. Would
> > it be possible to have CXF look for a public key in the database instead
> of a
> > keystore?
> >
> > -Martin
>
RE: Alternative key sources using asymmetric security?
Posted by Andrei Shakirin <as...@talend.com>.
Hi Martin,
Yes, for sure. You need to provide own implementation of WSS4J Crypto interface.
Btw CXF supports XKMS standard to get public keys as alternative to keystore.
You can take this either as example of Crypto implementation: https://github.com/apache/cxf/blob/master/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/provider/XkmsCryptoProvider.java
or use XKMS service to manage your certificates: http://cxf.apache.org/docs/xml-key-management-service-xkms.html
Regards,
Andrei.
> -----Original Message-----
> From: Martin Nielsen [mailto:mnybon@gmail.com]
> Sent: Freitag, 6. März 2015 10:36
> To: users@cxf.apache.org
> Subject: Alternative key sources using asymmetric security?
>
> Looking at WS-Security asymmetric encryption, i was wondering if it is possible
> in some way to configure CXF to look somewhere else than a java keystore for
> the key information.
>
> Say that you have a case where you need to add web services to an application
> that already has a public key for all it's users in a database, for example. Would
> it be possible to have CXF look for a public key in the database instead of a
> keystore?
>
> -Martin