You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@servicemix.apache.org by Freeman Fang <fr...@gmail.com> on 2009/02/12 10:10:23 UTC

Re: CXF WSS example

Hi Lukasz,

Finally I get the reason why your changes in the properties can't be 
loaded, CXF-2038 [1] track this isssue.

[1]https://issues.apache.org/jira/browse/CXF-2038
Freeman

Lukasz L. wrote:
> Hi Ashwin,
>
> I took a look at WSS4JInInterceptor class and it seems that exception should
> be thrown:
>
>                 if (returnCert != null && !verifyTrust(returnCert, reqData))
> {
>                     LOG.warning("The certificate used for the signature is
> not trusted");
>                     throw new
> WSSecurityException(WSSecurityException.FAILED_CHECK);
>                 }
>
> I did more tests and I found possible cause of confusion. It seems that some
> configuration settings aren't reloaded after service assembly redeployment
> but in addition the server needs to be restarted.
> I did tests in which I was changing bob.properties file (changing keystore
> file name) and redeploying the service assembly. After redeployment the
> bahaviour wasn't changed e.g. when I changed from right keystore to the
> wrong one the signature still was valid as if the old key was taken into
> account.
> When I stopped and started server without any further changes the bahaviour
> was as I expected (that in above case I got signature validation exception).
>
> It's a bit strange because all properties and keystore file are inside SU
> and it should be reloaded after redeployment.
>
>
> Ashwin Karpe wrote:
>   
>> Hi Lukasz,
>>
>> I believe this may be related to the interceptor code itself. The
>> interceptor code will need to be suitably modified to perform the check.
>> The default example interceptor code shipping in SMX is not strict. It
>> does not throw an exception when the match is not made and allows the call
>> to go ahead. It was not designed for direct commercial use. Please check
>> out the Java code for the interceptor and modify accordingly. Examples of
>> how to throw a security exception and appropriate codes should be
>> available in the WS-Security spec.
>>
>> The match is made in the Java code associated with the interceptor.
>>
>>
>>     
>
>