You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Faz <ar...@gmail.com> on 2013/09/20 12:04:15 UTC
WS-Security : UsernameToken(Password Digest) + Sign/Encrypt
Messages
Hi All,I was successful in setting up the WS-security with SSL, along with
UsernameToken(PasswordDigest) with the below code snippet.All this works
good, Now i would like to know few here...1. What in CXF should be done, if
I change the *RequireClientCertificate *to true in *HttpsToken* ?2. I need
to also have the messages encrypted and Signed along with the above set-up?
Would setting the *sp:OnlySignEntireHeadersAndBody* tag help me out here? I
don't need X.509 certificates, but just need to encrypt and decrypt the
messages?If there is any better option, please let me know. Thnx!
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-UsernameToken-Password-Digest-Sign-Encrypt-Messages-tp5734299.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS-Security : UsernameToken(Password Digest) + Sign/Encrypt
Messages
Posted by Faz <ar...@gmail.com>.
Thanks Colm,
Just a quick query, Is it good to expose the WSDL along with policy? I have
an WSDL created which explicitly says what all WS-Security policies and
specifications I have used , having that said is it a threat(security-wise)
to expose them to the consumer?
If it is a threat, what would be the ways to hide it from being populated in
the WSDL?
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-UsernameToken-Password-Digest-Sign-Encrypt-Messages-tp5734299p5734331.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS-Security : UsernameToken(Password Digest) + Sign/Encrypt Messages
Posted by Colm O hEigeartaigh <co...@apache.org>.
1) "RequireClientCertificate" means that the service endpoint must be
configured to require a client certificate + must be set up with a
trustManager. For example, if you are using Jetty (lines 50 -> 70):
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?view=markup
Similarly, the client needs to be configured with a keyManager to supply
the certificate, e.g. (line 111 -> 120):
http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/client/client.xml?view=markup
2) If you are using TLS/TransportBinding, then the messages are already
encrypted/signed at the Transport level. If you require message level
signature/encryption, then you need to use either a Symmetric or Asymmetric
Binding, depending on your requirements.
Colm.
On Fri, Sep 20, 2013 at 11:04 AM, Faz <ar...@gmail.com>wrote:
> Hi All,I was successful in setting up the WS-security with SSL, along with
> UsernameToken(PasswordDigest) with the below code snippet.All this works
> good, Now i would like to know few here...1. What in CXF should be done, if
> I change the *RequireClientCertificate *to true in *HttpsToken* ?2. I need
> to also have the messages encrypted and Signed along with the above set-up?
> Would setting the *sp:OnlySignEntireHeadersAndBody* tag help me out here? I
> don't need X.509 certificates, but just need to encrypt and decrypt the
> messages?If there is any better option, please let me know. Thnx!
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/WS-Security-UsernameToken-Password-Digest-Sign-Encrypt-Messages-tp5734299.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com