You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Cole Ferrier <co...@coleferrier.com> on 2009/12/03 00:36:11 UTC
Question about x509 certificates
I've done some basic testing and setup with x509 certificates, but i have a
few requirements that i'm trying to figure out how i could implement.
1) I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me.
I have a service available that i can go and get all the public keys for
anyone, but i want to do that on demand, so that i don't have to maintain a
local key store. How could one go about doing this?
2) Then of course i need to check a revocation list, so i'm assuming i could
just use an interceptor to go and check that? or??
3) then the question comes to authorization, (since i've already done the
above to validate that i know who they are.. ) Should this be done in a
separate interceptor? I am talking i want to authorize at the per service
layer or operation, not at the whole application..
How early should i try to do this.. i think i was able to get what the user
is doing on what interface
message.get(Message.WSDL_OPERATION)
message.get(Message.WSDL_INTERFACE)
and who the user is:
//ignore the ugly code
Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
WSSecurityEngineResult r = (WSSecurityEngineResult)
((WSHandlerResult) v.get(0)).getResults().get(0);
WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
then i could take the user and what they are doing and validate that they
are authorized for that operation.
Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
this the right place for that?
If anyone has had to do anything like this and has sample code, i'd
appreciate it.
Cole
Antwort: RE: Question about x509 certificates
Posted by Oliver Wulff <ol...@zurich.ch>.
<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif" />
Hi all
Another option might be XKMS or WS-Trust instead of a "proprietary"
protocol like LDAP (from a web services point of view).
Thanks
Oliver
"Dittmann, Werner
(NSN -
DE/Munich)" An
<werner.dittmann@ "ext Cole Ferrier"
nsn.com> <co...@coleferrier.com>,
<ws...@ws.apache.org>
04.12.2009 10:43 Kopie
Thema
RE: Question about x509
certificates
Cole,
the advise given by Daniel is correct. The Merlin implementation uses a
local
keystore based on JKS. Because you mention LDAP in your mail: IIRC someone
already implemented LDAP access to get certificates. I don't know who it
was but maybe you can ask here or try google :-) .
Regards,
Werner
From: ext Cole Ferrier [mailto:cole@coleferrier.com]
Sent: Thursday, December 03, 2009 11:22 PM
To: wss4j-dev@ws.apache.org
Subject: Fwd: Question about x509 certificates
I was referred to this list, from Daniel Kulp from the CXF list.
Here is what i'm trying to do:
I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me. I have a
service available that i can go and get all the public keys for anyone,
but i want to do that on demand, so that i don't have to maintain a local
key store. How could one go about doing this?
I wouldn't mind using a local key store to cache copies of the public key
once i looked them up once, but i don't want to have to have the key prior
to them calling me.
(Also I have a certificate revocation list, that i want to validate
against, which i could do at this point or later in the process).
He stated that i should look at implementing a
org.apache.ws.security.components.crypto.Crypto
Do you have any suggestions on where i should start?
Or is this not the right approach?
My use case is that we have a central group that manages x509 certs and
"flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication, then lookup
in ldap the flags on their account for authorization. (the authorization i
was going to do later in a CXF interceptor)
Thanks in advance,
Cole
---------- Forwarded message ----------
From: Daniel Kulp <dk...@apache.org>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@cxf.apache.org
Cc: Cole Ferrier <co...@coleferrier.com>
On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i
have a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys
for
> anyone, but i want to do that on demand, so that i don't have to
maintain a
> local key store. How could one go about doing this?
This PROBABLY should be redirected to the WSS4J list. I THINK the only
way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto
object that implements all the needed methods. That's the class that
WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.
> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??
An interceptor could work here. Alternatively, the Crypto object you
create
above could just throw an exception if a revoked cert is asked for.
> 3) then the question comes to authorization, (since i've already done
the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per
service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get
(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that
they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work,
is
> this the right place for that?
Yep. You can simplify a bit by doing:
SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();
> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Question about x509 certificates
Posted by "Dittmann, Werner (NSN - DE/Munich)" <we...@nsn.com>.
Cole,
the advise given by Daniel is correct. The Merlin implementation uses a
local
keystore based on JKS. Because you mention LDAP in your mail: IIRC
someone
already implemented LDAP access to get certificates. I don't know who it
was but maybe you can ask here or try google :-) .
Regards,
Werner
________________________________
From: ext Cole Ferrier [mailto:cole@coleferrier.com]
Sent: Thursday, December 03, 2009 11:22 PM
To: wss4j-dev@ws.apache.org
Subject: Fwd: Question about x509 certificates
I was referred to this list, from Daniel Kulp from the CXF list.
Here is what i'm trying to do:
I want to be able to accept an signed (not encrypted) message
without having the public key in my keystore prior to someone calling
me. I have a service available that i can go and get all the public keys
for anyone, but i want to do that on demand, so that i don't have to
maintain a local key store. How could one go about doing this?
I wouldn't mind using a local key store to cache copies of the
public key once i looked them up once, but i don't want to have to have
the key prior to them calling me.
(Also I have a certificate revocation list, that i want to
validate against, which i could do at this point or later in the
process).
He stated that i should look at implementing a
org.apache.ws.security.components.crypto.Crypto
Do you have any suggestions on where i should start?
Or is this not the right approach?
My use case is that we have a central group that manages x509
certs and "flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication,
then lookup in ldap the flags on their account for authorization. (the
authorization i was going to do later in a CXF interceptor)
Thanks in advance,
Cole
---------- Forwarded message ----------
From: Daniel Kulp <dk...@apache.org>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@cxf.apache.org
Cc: Cole Ferrier <co...@coleferrier.com>
On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates,
but i have a
> few requirements that i'm trying to figure out how i could
implement.
>
> 1) I want to be able to accept an signed (not encrypted)
message without
> having the public key in my keystore prior to someone calling
me.
> I have a service available that i can go and get all the
public keys for
> anyone, but i want to do that on demand, so that i don't have
to maintain a
> local key store. How could one go about doing this?
This PROBABLY should be redirected to the WSS4J list. I THINK
the only way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto
object that implements all the needed methods. That's the
class that WSS4J
uses to handle all the key manipulation and such. You would
set your
classname in the properties file instead of the Merlin version.
> 2) Then of course i need to check a revocation list, so i'm
assuming i
> could just use an interceptor to go and check that? or??
An interceptor could work here. Alternatively, the Crypto
object you create
above could just throw an exception if a revoked cert is asked
for.
> 3) then the question comes to authorization, (since i've
already done the
> above to validate that i know who they are.. ) Should this be
done in a
> separate interceptor? I am talking i want to authorize at the
per service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get
what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector)
message.get(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p =
(WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and
validate that they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems
to work, is
> this the right place for that?
Yep. You can simplify a bit by doing:
SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();
> If anyone has had to do anything like this and has sample
code, i'd
> appreciate it.
>
> Cole
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Fwd: Question about x509 certificates
Posted by Cole Ferrier <co...@coleferrier.com>.
I was referred to this list, from Daniel Kulp from the CXF list.
Here is what i'm trying to do:
I want to be able to accept an signed (not encrypted) message without having
the public key in my keystore prior to someone calling me. I have a service
available that i can go and get all the public keys for anyone, but i want
to do that on demand, so that i don't have to maintain a local key store.
How could one go about doing this?
I wouldn't mind using a local key store to cache copies of the public key
once i looked them up once, but i don't want to have to have the key prior
to them calling me.
(Also I have a certificate revocation list, that i want to validate against,
which i could do at this point or later in the process).
He stated that i should look at implementing a
org.apache.ws.security.components.crypto.Crypto
Do you have any suggestions on where i should start?
Or is this not the right approach?
My use case is that we have a central group that manages x509 certs and
"flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication, then lookup in
ldap the flags on their account for authorization. (the authorization i was
going to do later in a CXF interceptor)
Thanks in advance,
Cole
---------- Forwarded message ----------
From: Daniel Kulp <dk...@apache.org>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@cxf.apache.org
Cc: Cole Ferrier <co...@coleferrier.com>
On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i have
a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys for
> anyone, but i want to do that on demand, so that i don't have to maintain
a
> local key store. How could one go about doing this?
This PROBABLY should be redirected to the WSS4J list. I THINK the only way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto
object that implements all the needed methods. That's the class that WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.
> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??
An interceptor could work here. Alternatively, the Crypto object you
create
above could just throw an exception if a revoked cert is asked for.
> 3) then the question comes to authorization, (since i've already done the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
> this the right place for that?
Yep. You can simplify a bit by doing:
SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();
> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Question about x509 certificates
Posted by Daniel Kulp <dk...@apache.org>.
On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i have a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys for
> anyone, but i want to do that on demand, so that i don't have to maintain a
> local key store. How could one go about doing this?
This PROBABLY should be redirected to the WSS4J list. I THINK the only way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto
object that implements all the needed methods. That's the class that WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.
> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??
An interceptor could work here. Alternatively, the Crypto object you create
above could just throw an exception if a revoked cert is asked for.
> 3) then the question comes to authorization, (since i've already done the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
> this the right place for that?
Yep. You can simplify a bit by doing:
SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();
> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog