You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ted Roeloffzen <te...@gmail.com> on 2013/05/23 11:34:21 UTC
ws security
Hello all,
I'm having al little difficulty setting up my client-webservice with the
correct settings.
This is the main part of the WSDL that i have to comply to.
<wsp:Policy wsu:Id="">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
i have deleted the id's, for the sake of our client.
The problem is that i'm unable the setup the correct token inclusion and so
on.
I can't seem to figure out which parameters have to be set with CXF.
Since we don't use Spring, I have to configure everything through the API.
THis is what i have so far.
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.TIMESTAMP + " "
+ WSHandlerConstants.SIGNATURE);
outProps.put(WSHandlerConstants.SIG_ALGO,
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
http://www.w3.org/2001/04/xmlenc#sha256");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
client.getOutInterceptors().add(wssOut);
And i'm adding a custom Interceptor that does this in the handleMessage at
the Pre_logical phase
X509Certificate[] certificates = {holder.getCertificate()};
CertificateStore store = new CertificateStore(certificates);
message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
Can one of you point me in the right direction?
kind regards,
Ted
RE: ws security
Posted by Andrei Shakirin <as...@talend.com>.
Hi Ted,
This blog can be helpful in case if you create and configure own Crypto provider: http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html .
Regards,
Andrei.
> -----Original Message-----
> From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com]
> Sent: Donnerstag, 23. Mai 2013 20:37
> To: users; Colm O hEigeartaigh
> Subject: Re: ws security
>
> At this moment i don't have a crypto.properties.
> Is the existence of that file mandatory and what kind of properties are
> required?
>
> Ted
>
>
> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
>
> > I'd say the easiest way is to create your own Crypto instance based on
> > CertificateStore, and instantiate that directly in your crypto.properties.
> > That way you don't need to change anything in CXF itself.
> >
> > Colm.
> >
> >
> > On Thu, May 23, 2013 at 2:01 PM, Ted Roeloffzen
> > <ted.roeloffzen@gmail.com
> > >wrote:
> >
> > > We have the certificates stored in a DB.
> > > So in the interceptor i load the certificate, put it in a
> > > certificate store and and the certificate store as Crypto object for the
> signature.
> > > Is this the correct way or can't i use this in an interceptor or
> > > does the interceptor have to have a different phase?
> > >
> > > kind regards,
> > >
> > > Ted
> > >
> > >
> > > 2013/5/23 Ted Roeloffzen <te...@gmail.com>
> > >
> > >> Okay thanks.
> > >>
> > >> Correct me if i'm wrong, but the only thing i have to do is add the
> > >> interceptor that sets the correct certificate?
> > >>
> > >> kind regards,
> > >>
> > >> Ted
> > >>
> > >>
> > >> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
> > >>
> > >>> You are using the older "Action" style configuration with
> > >>> WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you
> > >>> don't tell it what security actions to perform, as the policy
> > >>> already
> > contains
> > >>> all of this information. You just need to let it know the correct
> > >>> credentials for signing/encryption etc.
> > >>>
> > >>> See here for some information about configuration:
> > >>>
> > >>> http://cxf.apache.org/docs/ws-securitypolicy.html
> > >>>
> > >>> Colm.
> > >>>
> > >>>
> > >>> On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
> > >>> <te...@gmail.com>wrote:
> > >>>
> > >>> > Hello all,
> > >>> >
> > >>> > I'm having al little difficulty setting up my client-webservice
> > >>> > with
> > >>> the
> > >>> > correct settings.
> > >>> > This is the main part of the WSDL that i have to comply to.
> > >>> >
> > >>> > <wsp:Policy wsu:Id="">
> > >>> > <wsp:ExactlyOne>
> > >>> > <wsp:All>
> > >>> > <sp:AsymmetricBinding xmlns:sp="
> > >>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > >>> > <wsp:Policy>
> > >>> > <sp:InitiatorToken>
> > >>> > <wsp:Policy>
> > >>> > <sp:X509Token sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alwa
> > ysToRecipient
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> >
> > >>> <sp:RequireThumbprintReference/>
> > >>> > <sp:WssX509V3Token10/>
> > >>> > </wsp:Policy>
> > >>> > </sp:X509Token>
> > >>> > </wsp:Policy>
> > >>> > </sp:InitiatorToken>
> > >>> > <sp:RecipientToken>
> > >>> > <wsp:Policy>
> > >>> > <sp:X509Token sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alwa
> > ysToInitiator
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> >
> > >>> <sp:RequireThumbprintReference/>
> > >>> > <sp:WssX509V3Token10/>
> > >>> > </wsp:Policy>
> > >>> > </sp:X509Token>
> > >>> > </wsp:Policy>
> > >>> > </sp:RecipientToken>
> > >>> > <sp:AlgorithmSuite>
> > >>> > <wsp:Policy>
> > >>> > <sp:Basic256Sha256Rsa15/>
> > >>> > </wsp:Policy>
> > >>> > </sp:AlgorithmSuite>
> > >>> > <sp:Layout>
> > >>> > <wsp:Policy>
> > >>> > <sp:Lax/>
> > >>> > </wsp:Policy>
> > >>> > </sp:Layout>
> > >>> > <sp:IncludeTimestamp/>
> > >>> > <sp:OnlySignEntireHeadersAndBody/>
> > >>> > </wsp:Policy>
> > >>> > </sp:AsymmetricBinding>
> > >>> > </wsp:All>
> > >>> > </wsp:ExactlyOne>
> > >>> > </wsp:Policy>
> > >>> > <wsp:Policy wsu:Id="">
> > >>> > <wsp:ExactlyOne>
> > >>> > <wsp:All>
> > >>> > <sp:SignedParts xmlns:sp="
> > >>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > >>> > <sp:Body/>
> > >>> > </sp:SignedParts>
> > >>> > </wsp:All>
> > >>> > </wsp:ExactlyOne>
> > >>> > </wsp:Policy>
> > >>> >
> > >>> > i have deleted the id's, for the sake of our client.
> > >>> >
> > >>> > The problem is that i'm unable the setup the correct token
> > >>> > inclusion
> > >>> and so
> > >>> > on.
> > >>> > I can't seem to figure out which parameters have to be set with CXF.
> > >>> > Since we don't use Spring, I have to configure everything
> > >>> > through the
> > >>> API.
> > >>> >
> > >>> >
> > >>> > THis is what i have so far.
> > >>> > Map<String, Object> outProps = new HashMap<String, Object>();
> > >>> > outProps.put(WSHandlerConstants.ACTION,
> > >>> > WSHandlerConstants.TIMESTAMP + " "
> > >>> > + WSHandlerConstants.SIGNATURE);
> > >>> > outProps.put(WSHandlerConstants.SIG_ALGO,
> > >>> > "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
> > >>> > outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
> > >>> > http://www.w3.org/2001/04/xmlenc#sha256");
> > >>> >
> > >>> > WSS4JOutInterceptor wssOut = new
> > WSS4JOutInterceptor(outProps);
> > >>> > client.getOutInterceptors().add(wssOut);
> > >>> >
> > >>> > And i'm adding a custom Interceptor that does this in the
> > >>> handleMessage at
> > >>> > the Pre_logical phase
> > >>> >
> > >>> > X509Certificate[] certificates = {holder.getCertificate()};
> > >>> > CertificateStore store = new
> > >>> > CertificateStore(certificates);
> > >>> >
> > >>> > message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
> > >>> >
> > >>> > Can one of you point me in the right direction?
> > >>> >
> > >>> > kind regards,
> > >>> >
> > >>> > Ted
> > >>> >
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Colm O hEigeartaigh
> > >>>
> > >>> Talend Community Coder
> > >>> http://coders.talend.com
> > >>>
> > >>
> > >>
> > >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
Re: ws security
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's required to configure a Crypto instance used for signature + to
retrieve certificates. See the "Signing" section here for more information:
http://cxf.apache.org/docs/ws-security.html
Colm.
On Thu, May 23, 2013 at 7:37 PM, Ted Roeloffzen <te...@gmail.com>wrote:
> At this moment i don't have a crypto.properties.
> Is the existence of that file mandatory and what kind of properties are
> required?
>
> Ted
>
>
> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
>
> > I'd say the easiest way is to create your own Crypto instance based on
> > CertificateStore, and instantiate that directly in your
> crypto.properties.
> > That way you don't need to change anything in CXF itself.
> >
> > Colm.
> >
> >
> > On Thu, May 23, 2013 at 2:01 PM, Ted Roeloffzen <
> ted.roeloffzen@gmail.com
> > >wrote:
> >
> > > We have the certificates stored in a DB.
> > > So in the interceptor i load the certificate, put it in a certificate
> > > store and and the certificate store as Crypto object for the signature.
> > > Is this the correct way or can't i use this in an interceptor or does
> the
> > > interceptor have to have a different phase?
> > >
> > > kind regards,
> > >
> > > Ted
> > >
> > >
> > > 2013/5/23 Ted Roeloffzen <te...@gmail.com>
> > >
> > >> Okay thanks.
> > >>
> > >> Correct me if i'm wrong, but the only thing i have to do is add the
> > >> interceptor that sets the correct certificate?
> > >>
> > >> kind regards,
> > >>
> > >> Ted
> > >>
> > >>
> > >> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
> > >>
> > >>> You are using the older "Action" style configuration with
> > >>> WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you
> don't
> > >>> tell it what security actions to perform, as the policy already
> > contains
> > >>> all of this information. You just need to let it know the correct
> > >>> credentials for signing/encryption etc.
> > >>>
> > >>> See here for some information about configuration:
> > >>>
> > >>> http://cxf.apache.org/docs/ws-securitypolicy.html
> > >>>
> > >>> Colm.
> > >>>
> > >>>
> > >>> On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
> > >>> <te...@gmail.com>wrote:
> > >>>
> > >>> > Hello all,
> > >>> >
> > >>> > I'm having al little difficulty setting up my client-webservice
> with
> > >>> the
> > >>> > correct settings.
> > >>> > This is the main part of the WSDL that i have to comply to.
> > >>> >
> > >>> > <wsp:Policy wsu:Id="">
> > >>> > <wsp:ExactlyOne>
> > >>> > <wsp:All>
> > >>> > <sp:AsymmetricBinding xmlns:sp="
> > >>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > >>> > <wsp:Policy>
> > >>> > <sp:InitiatorToken>
> > >>> > <wsp:Policy>
> > >>> > <sp:X509Token sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> >
> > >>> <sp:RequireThumbprintReference/>
> > >>> > <sp:WssX509V3Token10/>
> > >>> > </wsp:Policy>
> > >>> > </sp:X509Token>
> > >>> > </wsp:Policy>
> > >>> > </sp:InitiatorToken>
> > >>> > <sp:RecipientToken>
> > >>> > <wsp:Policy>
> > >>> > <sp:X509Token sp:IncludeToken="
> > >>> >
> > >>> >
> > >>>
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
> > >>> > ">
> > >>> > <wsp:Policy>
> > >>> >
> > >>> <sp:RequireThumbprintReference/>
> > >>> > <sp:WssX509V3Token10/>
> > >>> > </wsp:Policy>
> > >>> > </sp:X509Token>
> > >>> > </wsp:Policy>
> > >>> > </sp:RecipientToken>
> > >>> > <sp:AlgorithmSuite>
> > >>> > <wsp:Policy>
> > >>> > <sp:Basic256Sha256Rsa15/>
> > >>> > </wsp:Policy>
> > >>> > </sp:AlgorithmSuite>
> > >>> > <sp:Layout>
> > >>> > <wsp:Policy>
> > >>> > <sp:Lax/>
> > >>> > </wsp:Policy>
> > >>> > </sp:Layout>
> > >>> > <sp:IncludeTimestamp/>
> > >>> > <sp:OnlySignEntireHeadersAndBody/>
> > >>> > </wsp:Policy>
> > >>> > </sp:AsymmetricBinding>
> > >>> > </wsp:All>
> > >>> > </wsp:ExactlyOne>
> > >>> > </wsp:Policy>
> > >>> > <wsp:Policy wsu:Id="">
> > >>> > <wsp:ExactlyOne>
> > >>> > <wsp:All>
> > >>> > <sp:SignedParts xmlns:sp="
> > >>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > >>> > <sp:Body/>
> > >>> > </sp:SignedParts>
> > >>> > </wsp:All>
> > >>> > </wsp:ExactlyOne>
> > >>> > </wsp:Policy>
> > >>> >
> > >>> > i have deleted the id's, for the sake of our client.
> > >>> >
> > >>> > The problem is that i'm unable the setup the correct token
> inclusion
> > >>> and so
> > >>> > on.
> > >>> > I can't seem to figure out which parameters have to be set with
> CXF.
> > >>> > Since we don't use Spring, I have to configure everything through
> the
> > >>> API.
> > >>> >
> > >>> >
> > >>> > THis is what i have so far.
> > >>> > Map<String, Object> outProps = new HashMap<String, Object>();
> > >>> > outProps.put(WSHandlerConstants.ACTION,
> > >>> > WSHandlerConstants.TIMESTAMP + " "
> > >>> > + WSHandlerConstants.SIGNATURE);
> > >>> > outProps.put(WSHandlerConstants.SIG_ALGO,
> > >>> > "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
> > >>> > outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
> > >>> > http://www.w3.org/2001/04/xmlenc#sha256");
> > >>> >
> > >>> > WSS4JOutInterceptor wssOut = new
> > WSS4JOutInterceptor(outProps);
> > >>> > client.getOutInterceptors().add(wssOut);
> > >>> >
> > >>> > And i'm adding a custom Interceptor that does this in the
> > >>> handleMessage at
> > >>> > the Pre_logical phase
> > >>> >
> > >>> > X509Certificate[] certificates = {holder.getCertificate()};
> > >>> > CertificateStore store = new
> CertificateStore(certificates);
> > >>> >
> > >>> > message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
> > >>> >
> > >>> > Can one of you point me in the right direction?
> > >>> >
> > >>> > kind regards,
> > >>> >
> > >>> > Ted
> > >>> >
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Colm O hEigeartaigh
> > >>>
> > >>> Talend Community Coder
> > >>> http://coders.talend.com
> > >>>
> > >>
> > >>
> > >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: ws security
Posted by Ted Roeloffzen <te...@gmail.com>.
At this moment i don't have a crypto.properties.
Is the existence of that file mandatory and what kind of properties are
required?
Ted
2013/5/23 Colm O hEigeartaigh <co...@apache.org>
> I'd say the easiest way is to create your own Crypto instance based on
> CertificateStore, and instantiate that directly in your crypto.properties.
> That way you don't need to change anything in CXF itself.
>
> Colm.
>
>
> On Thu, May 23, 2013 at 2:01 PM, Ted Roeloffzen <ted.roeloffzen@gmail.com
> >wrote:
>
> > We have the certificates stored in a DB.
> > So in the interceptor i load the certificate, put it in a certificate
> > store and and the certificate store as Crypto object for the signature.
> > Is this the correct way or can't i use this in an interceptor or does the
> > interceptor have to have a different phase?
> >
> > kind regards,
> >
> > Ted
> >
> >
> > 2013/5/23 Ted Roeloffzen <te...@gmail.com>
> >
> >> Okay thanks.
> >>
> >> Correct me if i'm wrong, but the only thing i have to do is add the
> >> interceptor that sets the correct certificate?
> >>
> >> kind regards,
> >>
> >> Ted
> >>
> >>
> >> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
> >>
> >>> You are using the older "Action" style configuration with
> >>> WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you don't
> >>> tell it what security actions to perform, as the policy already
> contains
> >>> all of this information. You just need to let it know the correct
> >>> credentials for signing/encryption etc.
> >>>
> >>> See here for some information about configuration:
> >>>
> >>> http://cxf.apache.org/docs/ws-securitypolicy.html
> >>>
> >>> Colm.
> >>>
> >>>
> >>> On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
> >>> <te...@gmail.com>wrote:
> >>>
> >>> > Hello all,
> >>> >
> >>> > I'm having al little difficulty setting up my client-webservice with
> >>> the
> >>> > correct settings.
> >>> > This is the main part of the WSDL that i have to comply to.
> >>> >
> >>> > <wsp:Policy wsu:Id="">
> >>> > <wsp:ExactlyOne>
> >>> > <wsp:All>
> >>> > <sp:AsymmetricBinding xmlns:sp="
> >>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >>> > <wsp:Policy>
> >>> > <sp:InitiatorToken>
> >>> > <wsp:Policy>
> >>> > <sp:X509Token sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> >>> > ">
> >>> > <wsp:Policy>
> >>> >
> >>> <sp:RequireThumbprintReference/>
> >>> > <sp:WssX509V3Token10/>
> >>> > </wsp:Policy>
> >>> > </sp:X509Token>
> >>> > </wsp:Policy>
> >>> > </sp:InitiatorToken>
> >>> > <sp:RecipientToken>
> >>> > <wsp:Policy>
> >>> > <sp:X509Token sp:IncludeToken="
> >>> >
> >>> >
> >>>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
> >>> > ">
> >>> > <wsp:Policy>
> >>> >
> >>> <sp:RequireThumbprintReference/>
> >>> > <sp:WssX509V3Token10/>
> >>> > </wsp:Policy>
> >>> > </sp:X509Token>
> >>> > </wsp:Policy>
> >>> > </sp:RecipientToken>
> >>> > <sp:AlgorithmSuite>
> >>> > <wsp:Policy>
> >>> > <sp:Basic256Sha256Rsa15/>
> >>> > </wsp:Policy>
> >>> > </sp:AlgorithmSuite>
> >>> > <sp:Layout>
> >>> > <wsp:Policy>
> >>> > <sp:Lax/>
> >>> > </wsp:Policy>
> >>> > </sp:Layout>
> >>> > <sp:IncludeTimestamp/>
> >>> > <sp:OnlySignEntireHeadersAndBody/>
> >>> > </wsp:Policy>
> >>> > </sp:AsymmetricBinding>
> >>> > </wsp:All>
> >>> > </wsp:ExactlyOne>
> >>> > </wsp:Policy>
> >>> > <wsp:Policy wsu:Id="">
> >>> > <wsp:ExactlyOne>
> >>> > <wsp:All>
> >>> > <sp:SignedParts xmlns:sp="
> >>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >>> > <sp:Body/>
> >>> > </sp:SignedParts>
> >>> > </wsp:All>
> >>> > </wsp:ExactlyOne>
> >>> > </wsp:Policy>
> >>> >
> >>> > i have deleted the id's, for the sake of our client.
> >>> >
> >>> > The problem is that i'm unable the setup the correct token inclusion
> >>> and so
> >>> > on.
> >>> > I can't seem to figure out which parameters have to be set with CXF.
> >>> > Since we don't use Spring, I have to configure everything through the
> >>> API.
> >>> >
> >>> >
> >>> > THis is what i have so far.
> >>> > Map<String, Object> outProps = new HashMap<String, Object>();
> >>> > outProps.put(WSHandlerConstants.ACTION,
> >>> > WSHandlerConstants.TIMESTAMP + " "
> >>> > + WSHandlerConstants.SIGNATURE);
> >>> > outProps.put(WSHandlerConstants.SIG_ALGO,
> >>> > "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
> >>> > outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
> >>> > http://www.w3.org/2001/04/xmlenc#sha256");
> >>> >
> >>> > WSS4JOutInterceptor wssOut = new
> WSS4JOutInterceptor(outProps);
> >>> > client.getOutInterceptors().add(wssOut);
> >>> >
> >>> > And i'm adding a custom Interceptor that does this in the
> >>> handleMessage at
> >>> > the Pre_logical phase
> >>> >
> >>> > X509Certificate[] certificates = {holder.getCertificate()};
> >>> > CertificateStore store = new CertificateStore(certificates);
> >>> >
> >>> > message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
> >>> >
> >>> > Can one of you point me in the right direction?
> >>> >
> >>> > kind regards,
> >>> >
> >>> > Ted
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Colm O hEigeartaigh
> >>>
> >>> Talend Community Coder
> >>> http://coders.talend.com
> >>>
> >>
> >>
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: ws security
Posted by Colm O hEigeartaigh <co...@apache.org>.
I'd say the easiest way is to create your own Crypto instance based on
CertificateStore, and instantiate that directly in your crypto.properties.
That way you don't need to change anything in CXF itself.
Colm.
On Thu, May 23, 2013 at 2:01 PM, Ted Roeloffzen <te...@gmail.com>wrote:
> We have the certificates stored in a DB.
> So in the interceptor i load the certificate, put it in a certificate
> store and and the certificate store as Crypto object for the signature.
> Is this the correct way or can't i use this in an interceptor or does the
> interceptor have to have a different phase?
>
> kind regards,
>
> Ted
>
>
> 2013/5/23 Ted Roeloffzen <te...@gmail.com>
>
>> Okay thanks.
>>
>> Correct me if i'm wrong, but the only thing i have to do is add the
>> interceptor that sets the correct certificate?
>>
>> kind regards,
>>
>> Ted
>>
>>
>> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
>>
>>> You are using the older "Action" style configuration with
>>> WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you don't
>>> tell it what security actions to perform, as the policy already contains
>>> all of this information. You just need to let it know the correct
>>> credentials for signing/encryption etc.
>>>
>>> See here for some information about configuration:
>>>
>>> http://cxf.apache.org/docs/ws-securitypolicy.html
>>>
>>> Colm.
>>>
>>>
>>> On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
>>> <te...@gmail.com>wrote:
>>>
>>> > Hello all,
>>> >
>>> > I'm having al little difficulty setting up my client-webservice with
>>> the
>>> > correct settings.
>>> > This is the main part of the WSDL that i have to comply to.
>>> >
>>> > <wsp:Policy wsu:Id="">
>>> > <wsp:ExactlyOne>
>>> > <wsp:All>
>>> > <sp:AsymmetricBinding xmlns:sp="
>>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> > <wsp:Policy>
>>> > <sp:InitiatorToken>
>>> > <wsp:Policy>
>>> > <sp:X509Token sp:IncludeToken="
>>> >
>>> >
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>>> > ">
>>> > <wsp:Policy>
>>> >
>>> <sp:RequireThumbprintReference/>
>>> > <sp:WssX509V3Token10/>
>>> > </wsp:Policy>
>>> > </sp:X509Token>
>>> > </wsp:Policy>
>>> > </sp:InitiatorToken>
>>> > <sp:RecipientToken>
>>> > <wsp:Policy>
>>> > <sp:X509Token sp:IncludeToken="
>>> >
>>> >
>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
>>> > ">
>>> > <wsp:Policy>
>>> >
>>> <sp:RequireThumbprintReference/>
>>> > <sp:WssX509V3Token10/>
>>> > </wsp:Policy>
>>> > </sp:X509Token>
>>> > </wsp:Policy>
>>> > </sp:RecipientToken>
>>> > <sp:AlgorithmSuite>
>>> > <wsp:Policy>
>>> > <sp:Basic256Sha256Rsa15/>
>>> > </wsp:Policy>
>>> > </sp:AlgorithmSuite>
>>> > <sp:Layout>
>>> > <wsp:Policy>
>>> > <sp:Lax/>
>>> > </wsp:Policy>
>>> > </sp:Layout>
>>> > <sp:IncludeTimestamp/>
>>> > <sp:OnlySignEntireHeadersAndBody/>
>>> > </wsp:Policy>
>>> > </sp:AsymmetricBinding>
>>> > </wsp:All>
>>> > </wsp:ExactlyOne>
>>> > </wsp:Policy>
>>> > <wsp:Policy wsu:Id="">
>>> > <wsp:ExactlyOne>
>>> > <wsp:All>
>>> > <sp:SignedParts xmlns:sp="
>>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> > <sp:Body/>
>>> > </sp:SignedParts>
>>> > </wsp:All>
>>> > </wsp:ExactlyOne>
>>> > </wsp:Policy>
>>> >
>>> > i have deleted the id's, for the sake of our client.
>>> >
>>> > The problem is that i'm unable the setup the correct token inclusion
>>> and so
>>> > on.
>>> > I can't seem to figure out which parameters have to be set with CXF.
>>> > Since we don't use Spring, I have to configure everything through the
>>> API.
>>> >
>>> >
>>> > THis is what i have so far.
>>> > Map<String, Object> outProps = new HashMap<String, Object>();
>>> > outProps.put(WSHandlerConstants.ACTION,
>>> > WSHandlerConstants.TIMESTAMP + " "
>>> > + WSHandlerConstants.SIGNATURE);
>>> > outProps.put(WSHandlerConstants.SIG_ALGO,
>>> > "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
>>> > outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
>>> > http://www.w3.org/2001/04/xmlenc#sha256");
>>> >
>>> > WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
>>> > client.getOutInterceptors().add(wssOut);
>>> >
>>> > And i'm adding a custom Interceptor that does this in the
>>> handleMessage at
>>> > the Pre_logical phase
>>> >
>>> > X509Certificate[] certificates = {holder.getCertificate()};
>>> > CertificateStore store = new CertificateStore(certificates);
>>> >
>>> > message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
>>> >
>>> > Can one of you point me in the right direction?
>>> >
>>> > kind regards,
>>> >
>>> > Ted
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: ws security
Posted by Ted Roeloffzen <te...@gmail.com>.
We have the certificates stored in a DB.
So in the interceptor i load the certificate, put it in a certificate store
and and the certificate store as Crypto object for the signature.
Is this the correct way or can't i use this in an interceptor or does the
interceptor have to have a different phase?
kind regards,
Ted
2013/5/23 Ted Roeloffzen <te...@gmail.com>
> Okay thanks.
>
> Correct me if i'm wrong, but the only thing i have to do is add the
> interceptor that sets the correct certificate?
>
> kind regards,
>
> Ted
>
>
> 2013/5/23 Colm O hEigeartaigh <co...@apache.org>
>
>> You are using the older "Action" style configuration with
>> WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you don't
>> tell it what security actions to perform, as the policy already contains
>> all of this information. You just need to let it know the correct
>> credentials for signing/encryption etc.
>>
>> See here for some information about configuration:
>>
>> http://cxf.apache.org/docs/ws-securitypolicy.html
>>
>> Colm.
>>
>>
>> On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
>> <te...@gmail.com>wrote:
>>
>> > Hello all,
>> >
>> > I'm having al little difficulty setting up my client-webservice with the
>> > correct settings.
>> > This is the main part of the WSDL that i have to comply to.
>> >
>> > <wsp:Policy wsu:Id="">
>> > <wsp:ExactlyOne>
>> > <wsp:All>
>> > <sp:AsymmetricBinding xmlns:sp="
>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> > <wsp:Policy>
>> > <sp:InitiatorToken>
>> > <wsp:Policy>
>> > <sp:X509Token sp:IncludeToken="
>> >
>> >
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> > ">
>> > <wsp:Policy>
>> > <sp:RequireThumbprintReference/>
>> > <sp:WssX509V3Token10/>
>> > </wsp:Policy>
>> > </sp:X509Token>
>> > </wsp:Policy>
>> > </sp:InitiatorToken>
>> > <sp:RecipientToken>
>> > <wsp:Policy>
>> > <sp:X509Token sp:IncludeToken="
>> >
>> >
>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
>> > ">
>> > <wsp:Policy>
>> > <sp:RequireThumbprintReference/>
>> > <sp:WssX509V3Token10/>
>> > </wsp:Policy>
>> > </sp:X509Token>
>> > </wsp:Policy>
>> > </sp:RecipientToken>
>> > <sp:AlgorithmSuite>
>> > <wsp:Policy>
>> > <sp:Basic256Sha256Rsa15/>
>> > </wsp:Policy>
>> > </sp:AlgorithmSuite>
>> > <sp:Layout>
>> > <wsp:Policy>
>> > <sp:Lax/>
>> > </wsp:Policy>
>> > </sp:Layout>
>> > <sp:IncludeTimestamp/>
>> > <sp:OnlySignEntireHeadersAndBody/>
>> > </wsp:Policy>
>> > </sp:AsymmetricBinding>
>> > </wsp:All>
>> > </wsp:ExactlyOne>
>> > </wsp:Policy>
>> > <wsp:Policy wsu:Id="">
>> > <wsp:ExactlyOne>
>> > <wsp:All>
>> > <sp:SignedParts xmlns:sp="
>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> > <sp:Body/>
>> > </sp:SignedParts>
>> > </wsp:All>
>> > </wsp:ExactlyOne>
>> > </wsp:Policy>
>> >
>> > i have deleted the id's, for the sake of our client.
>> >
>> > The problem is that i'm unable the setup the correct token inclusion
>> and so
>> > on.
>> > I can't seem to figure out which parameters have to be set with CXF.
>> > Since we don't use Spring, I have to configure everything through the
>> API.
>> >
>> >
>> > THis is what i have so far.
>> > Map<String, Object> outProps = new HashMap<String, Object>();
>> > outProps.put(WSHandlerConstants.ACTION,
>> > WSHandlerConstants.TIMESTAMP + " "
>> > + WSHandlerConstants.SIGNATURE);
>> > outProps.put(WSHandlerConstants.SIG_ALGO,
>> > "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
>> > outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
>> > http://www.w3.org/2001/04/xmlenc#sha256");
>> >
>> > WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
>> > client.getOutInterceptors().add(wssOut);
>> >
>> > And i'm adding a custom Interceptor that does this in the handleMessage
>> at
>> > the Pre_logical phase
>> >
>> > X509Certificate[] certificates = {holder.getCertificate()};
>> > CertificateStore store = new CertificateStore(certificates);
>> >
>> > message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
>> >
>> > Can one of you point me in the right direction?
>> >
>> > kind regards,
>> >
>> > Ted
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
Re: ws security
Posted by Ted Roeloffzen <te...@gmail.com>.
Okay thanks.
Correct me if i'm wrong, but the only thing i have to do is add the
interceptor that sets the correct certificate?
kind regards,
Ted
2013/5/23 Colm O hEigeartaigh <co...@apache.org>
> You are using the older "Action" style configuration with
> WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you don't
> tell it what security actions to perform, as the policy already contains
> all of this information. You just need to let it know the correct
> credentials for signing/encryption etc.
>
> See here for some information about configuration:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> Colm.
>
>
> On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
> <te...@gmail.com>wrote:
>
> > Hello all,
> >
> > I'm having al little difficulty setting up my client-webservice with the
> > correct settings.
> > This is the main part of the WSDL that i have to comply to.
> >
> > <wsp:Policy wsu:Id="">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:AsymmetricBinding xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> > <sp:RequireThumbprintReference/>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
> > ">
> > <wsp:Policy>
> > <sp:RequireThumbprintReference/>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256Sha256Rsa15/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > <sp:OnlySignEntireHeadersAndBody/>
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> > <wsp:Policy wsu:Id="">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedParts xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <sp:Body/>
> > </sp:SignedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > i have deleted the id's, for the sake of our client.
> >
> > The problem is that i'm unable the setup the correct token inclusion and
> so
> > on.
> > I can't seem to figure out which parameters have to be set with CXF.
> > Since we don't use Spring, I have to configure everything through the
> API.
> >
> >
> > THis is what i have so far.
> > Map<String, Object> outProps = new HashMap<String, Object>();
> > outProps.put(WSHandlerConstants.ACTION,
> > WSHandlerConstants.TIMESTAMP + " "
> > + WSHandlerConstants.SIGNATURE);
> > outProps.put(WSHandlerConstants.SIG_ALGO,
> > "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
> > outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
> > http://www.w3.org/2001/04/xmlenc#sha256");
> >
> > WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
> > client.getOutInterceptors().add(wssOut);
> >
> > And i'm adding a custom Interceptor that does this in the handleMessage
> at
> > the Pre_logical phase
> >
> > X509Certificate[] certificates = {holder.getCertificate()};
> > CertificateStore store = new CertificateStore(certificates);
> >
> > message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
> >
> > Can one of you point me in the right direction?
> >
> > kind regards,
> >
> > Ted
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: ws security
Posted by Colm O hEigeartaigh <co...@apache.org>.
You are using the older "Action" style configuration with
WS-SecurityPolicy, which doesn't work. With WS-SecurityPolicy you don't
tell it what security actions to perform, as the policy already contains
all of this information. You just need to let it know the correct
credentials for signing/encryption etc.
See here for some information about configuration:
http://cxf.apache.org/docs/ws-securitypolicy.html
Colm.
On Thu, May 23, 2013 at 10:34 AM, Ted Roeloffzen
<te...@gmail.com>wrote:
> Hello all,
>
> I'm having al little difficulty setting up my client-webservice with the
> correct settings.
> This is the main part of the WSDL that i have to comply to.
>
> <wsp:Policy wsu:Id="">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator
> ">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Sha256Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> i have deleted the id's, for the sake of our client.
>
> The problem is that i'm unable the setup the correct token inclusion and so
> on.
> I can't seem to figure out which parameters have to be set with CXF.
> Since we don't use Spring, I have to configure everything through the API.
>
>
> THis is what i have so far.
> Map<String, Object> outProps = new HashMap<String, Object>();
> outProps.put(WSHandlerConstants.ACTION,
> WSHandlerConstants.TIMESTAMP + " "
> + WSHandlerConstants.SIGNATURE);
> outProps.put(WSHandlerConstants.SIG_ALGO,
> "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
> outProps.put(WSHandlerConstants.SIG_DIGEST_ALGO, "
> http://www.w3.org/2001/04/xmlenc#sha256");
>
> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
> client.getOutInterceptors().add(wssOut);
>
> And i'm adding a custom Interceptor that does this in the handleMessage at
> the Pre_logical phase
>
> X509Certificate[] certificates = {holder.getCertificate()};
> CertificateStore store = new CertificateStore(certificates);
>
> message.put(SecurityConstants.SIGNATURE_CRYPTO, store);
>
> Can one of you point me in the right direction?
>
> kind regards,
>
> Ted
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com