You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by XyLus <ma...@gmail.com> on 2009/03/04 17:25:14 UTC
MTOM + WS-Security X.509 Certificate Token Profile Question
Hi All
I have client abd server that use MTOM to send message with attachment. (it
works fine I can see
<xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
href="$reference"/> in message and attachment bytes afterwards in Outbound
log)
I am wondering if it is possible to combine MTOM and WS-Security X.509
Certificate Token Profile signing
I checked out WS-Security and MTOM tutorials available on CXF page and now I
have client code as follows:
UploadService ss = new UploadService(wsdlURL, SERVICE_NAME);
UploadServicePortType port = ss.getUploadServicePort();
//WS-Security via API
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, "myAlias");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientPasswordCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"client_sign.properties");
org.apache.cxf.endpoint.Client client =
org.apache.cxf.frontend.ClientProxy.getClient(port);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssOut);
cxfEndpoint.getOutInterceptors().add(new SAAJOutInterceptor()); //
2.0.x only; not needed in 2.1+
//WS-Security via API END
Binding binding = ((BindingProvider)port).getBinding();
((SOAPBinding)binding).setMTOMEnabled(true);
I've made matching changes on server side and everything works fine.
However there is no
<xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
href="$reference"/>
in client Inbound anymore. Instead of reference in message there is
attachment data coded with base64 :/
Please confirm whether my client configuration is not correct or combining
MTOM and WS-Security at the same time is not possible.
Any help would be appreciated,
Maciej
--
View this message in context: http://www.nabble.com/MTOM-%2B-WS-Security-X.509-Certificate-Token-Profile-Question-tp22333460p22333460.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: MTOM + WS-Security X.509 Certificate Token Profile Question
Posted by Mayank Mishra <ma...@gmail.com>.
Glen Mazza wrote:
> Are you sure that the X509 token profile defines encryption of any MIME
> attachments used by MTOM? Otherwise I could imagine MTOM using the
> within-the-soap-body X64 binary instead so it can be encrypted as normal.
>
>
Glen,
No, X509 token profile doesn't define anything about securing MIME
attachments. I was refering to the case where one MIME part having
soap-body with secured data and other MIME part having binary attachment.
With Regards,
Mayank
> Mayank Mishra-3 wrote:
>
>> Hi Maciej,
>>
>> Combination of MTOM and WS-Security must work. There is nothing like
>> mutually exclusive. AFAIK, securing MTOM attachment is not supported
>> currently.
>>
>>
>
>
Re: MTOM + WS-Security X.509 Certificate Token Profile Question
Posted by Glen Mazza <gl...@gmail.com>.
Are you sure that the X509 token profile defines encryption of any MIME
attachments used by MTOM? Otherwise I could imagine MTOM using the
within-the-soap-body X64 binary instead so it can be encrypted as normal.
Mayank Mishra-3 wrote:
>
> Hi Maciej,
>
> Combination of MTOM and WS-Security must work. There is nothing like
> mutually exclusive. AFAIK, securing MTOM attachment is not supported
> currently.
>
--
View this message in context: http://www.nabble.com/MTOM-%2B-WS-Security-X.509-Certificate-Token-Profile-Question-tp22333460p22335744.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: MTOM + WS-Security X.509 Certificate Token Profile Question
Posted by Mayank Mishra <ma...@gmail.com>.
XyLus wrote:
> Hi All
>
> I have client abd server that use MTOM to send message with attachment. (it
> works fine I can see
> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
> href="$reference"/> in message and attachment bytes afterwards in Outbound
> log)
>
> I am wondering if it is possible to combine MTOM and WS-Security X.509
> Certificate Token Profile signing
>
>
> I checked out WS-Security and MTOM tutorials available on CXF page and now I
> have client code as follows:
>
>
> UploadService ss = new UploadService(wsdlURL, SERVICE_NAME);
> UploadServicePortType port = ss.getUploadServicePort();
>
>
> //WS-Security via API
>
> Map<String,Object> outProps = new HashMap<String,Object>();
>
> outProps.put(WSHandlerConstants.ACTION, "Signature");
> outProps.put(WSHandlerConstants.USER, "myAlias");
> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientPasswordCallback.class.getName());
> outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> "client_sign.properties");
>
> org.apache.cxf.endpoint.Client client =
> org.apache.cxf.frontend.ClientProxy.getClient(port);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
>
> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
> cxfEndpoint.getOutInterceptors().add(wssOut);
> cxfEndpoint.getOutInterceptors().add(new SAAJOutInterceptor()); //
> 2.0.x only; not needed in 2.1+
>
> //WS-Security via API END
>
> Binding binding = ((BindingProvider)port).getBinding();
> ((SOAPBinding)binding).setMTOMEnabled(true);
>
>
> I've made matching changes on server side and everything works fine.
> However there is no
> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
> href="$reference"/>
> in client Inbound anymore. Instead of reference in message there is
> attachment data coded with base64 :/
>
>
> Please confirm whether my client configuration is not correct or combining
> MTOM and WS-Security at the same time is not possible.
>
>
Hi Maciej,
Combination of MTOM and WS-Security must work. There is nothing like
mutually exclusive. AFAIK, securing MTOM attachment is not supported
currently.
Also, I am unable to locate any SignatureParts in security properties
supplied to WSS4JInterceptor. Are you expecting any default behavior? or
just for brevity they are not there?
Anyway, I haven't tried this combination before but will surely update
you soon by trying myself.
With Regards,
Mayank
> Any help would be appreciated,
> Maciej
>
>
Re: MTOM + WS-Security X.509 Certificate Token Profile Question
Posted by XyLus <ma...@gmail.com>.
Thank you all for help and sharing your knowledge about WS-Security combined
with MTOM in CXF.
Regards,
Maciej
dkulp wrote:
>
>
> Currently, WSS4J (and thus CXF) doesn't support encrypting/signing of
> attachments. Thus, for security sake, by default, the
> WSS4JOutInterceptor
> turns off MTOM to make sure any data is properly protected.
>
> If you want, you can configure the WSS4JOutInterceptor to allow MTOM to
> remain
> on. There is an AllowMTOM property on it. Just set it to true. Just
> keep in mind that the attachments would not be signed/encrypted.
>
> Dan
>
>
>
>
> On Wed March 4 2009 11:25:14 am XyLus wrote:
>> Hi All
>>
>> I have client abd server that use MTOM to send message with attachment.
>> (it
>> works fine I can see
>> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
>> href="$reference"/> in message and attachment bytes afterwards in
>> Outbound
>> log)
>>
>> I am wondering if it is possible to combine MTOM and WS-Security X.509
>> Certificate Token Profile signing
>>
>>
>> I checked out WS-Security and MTOM tutorials available on CXF page and
>> now
>> I have client code as follows:
>>
>>
>> UploadService ss = new UploadService(wsdlURL, SERVICE_NAME);
>> UploadServicePortType port = ss.getUploadServicePort();
>>
>>
>> //WS-Security via API
>>
>> Map<String,Object> outProps = new HashMap<String,Object>();
>>
>> outProps.put(WSHandlerConstants.ACTION, "Signature");
>> outProps.put(WSHandlerConstants.USER, "myAlias");
>> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
>> ClientPasswordCallback.class.getName());
>> outProps.put(WSHandlerConstants.SIG_PROP_FILE,
>> "client_sign.properties");
>>
>> org.apache.cxf.endpoint.Client client =
>> org.apache.cxf.frontend.ClientProxy.getClient(port);
>> org.apache.cxf.endpoint.Endpoint cxfEndpoint =
>> client.getEndpoint();
>>
>> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
>> cxfEndpoint.getOutInterceptors().add(wssOut);
>> cxfEndpoint.getOutInterceptors().add(new SAAJOutInterceptor());
>> //
>> 2.0.x only; not needed in 2.1+
>>
>> //WS-Security via API END
>>
>> Binding binding = ((BindingProvider)port).getBinding();
>> ((SOAPBinding)binding).setMTOMEnabled(true);
>>
>>
>> I've made matching changes on server side and everything works fine.
>> However there is no
>> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
>> href="$reference"/>
>> in client Inbound anymore. Instead of reference in message there is
>> attachment data coded with base64 :/
>>
>>
>> Please confirm whether my client configuration is not correct or
>> combining
>> MTOM and WS-Security at the same time is not possible.
>>
>> Any help would be appreciated,
>> Maciej
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
--
View this message in context: http://www.nabble.com/MTOM-%2B-WS-Security-X.509-Certificate-Token-Profile-Question-tp22333460p22353204.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: MTOM + WS-Security X.509 Certificate Token Profile Question
Posted by Daniel Kulp <dk...@apache.org>.
Currently, WSS4J (and thus CXF) doesn't support encrypting/signing of
attachments. Thus, for security sake, by default, the WSS4JOutInterceptor
turns off MTOM to make sure any data is properly protected.
If you want, you can configure the WSS4JOutInterceptor to allow MTOM to remain
on. There is an AllowMTOM property on it. Just set it to true. Just
keep in mind that the attachments would not be signed/encrypted.
Dan
On Wed March 4 2009 11:25:14 am XyLus wrote:
> Hi All
>
> I have client abd server that use MTOM to send message with attachment. (it
> works fine I can see
> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
> href="$reference"/> in message and attachment bytes afterwards in Outbound
> log)
>
> I am wondering if it is possible to combine MTOM and WS-Security X.509
> Certificate Token Profile signing
>
>
> I checked out WS-Security and MTOM tutorials available on CXF page and now
> I have client code as follows:
>
>
> UploadService ss = new UploadService(wsdlURL, SERVICE_NAME);
> UploadServicePortType port = ss.getUploadServicePort();
>
>
> //WS-Security via API
>
> Map<String,Object> outProps = new HashMap<String,Object>();
>
> outProps.put(WSHandlerConstants.ACTION, "Signature");
> outProps.put(WSHandlerConstants.USER, "myAlias");
> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientPasswordCallback.class.getName());
> outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> "client_sign.properties");
>
> org.apache.cxf.endpoint.Client client =
> org.apache.cxf.frontend.ClientProxy.getClient(port);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint =
> client.getEndpoint();
>
> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
> cxfEndpoint.getOutInterceptors().add(wssOut);
> cxfEndpoint.getOutInterceptors().add(new SAAJOutInterceptor()); //
> 2.0.x only; not needed in 2.1+
>
> //WS-Security via API END
>
> Binding binding = ((BindingProvider)port).getBinding();
> ((SOAPBinding)binding).setMTOMEnabled(true);
>
>
> I've made matching changes on server side and everything works fine.
> However there is no
> <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
> href="$reference"/>
> in client Inbound anymore. Instead of reference in message there is
> attachment data coded with base64 :/
>
>
> Please confirm whether my client configuration is not correct or combining
> MTOM and WS-Security at the same time is not possible.
>
> Any help would be appreciated,
> Maciej
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog