You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by qvall <qv...@o2.pl> on 2007/12/30 00:10:45 UTC
ws-security: Encryption using UserToken
Hi,
I would like to encrypt and sign my requests any responses using WSS4J and
UserToken
but can't figure it out how to make it. I searched the archive and came
across http://www.nabble.com/WSS4J-symmetric-encryption-td6097730.html
http://www.nabble.com/WSS4J-symmetric-encryption-td6097730.html where is
mentioned
about symmetric encryption. Unfortunately links to axis2 snippets are dead
and
I couldn't track current path in svn.
I guess I should play with "encryptionKeyIdentifier", "EmbeddedKeyName",
"encryptionPropFile"
"encryptionSymAlgorithm" according to other link that works. However i still
don't know how
to make it. Especially how can i reference UserToken that is generated to be
used to
signature and encryption? I've tried on my own but
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html#keyIdentifier
wss4j apidoc is not clear enough to me.
I would appreciate any code snippets or links where it is explained in
detail.
In case it is not supported right now I'm also wondering is there any way to
encrypt
response from server (using x509 Certificates) without knowing client's
public key in advance?
I mean in many samples I saw that server's keystore had client's cert. I
would like to
avoid it since this requires modifing server with each new client. Does
"useReqSigCert"
has something to do it with?
I'm new to WS-S and I hope there is some simple solution for my simple
purposes.
patrick
--
View this message in context: http://www.nabble.com/ws-security%3A-Encryption-using-UserToken-tp14542558p14542558.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: ws-security: Encryption using UserToken
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Patrick,
However what is still not clear to me is why in that sample there are using
> passwordCallbackClass to set key along with
> encryptionPropFile/decryptionPropFile
> (which eventually points to keystore). Shouldn't keystores be redundant
> in symmetric encryption?
Yes, in this scenario we don't need encryptionPropFile/decryptionPropFile as
they are only needed when using a key store. This means that sample should
work if just remove the redundant encryptionPropFile/decryptionPropFile
attributes from the configuration.
But there is a check in WSS4J which checks whether there is a property
file
when ever there is encryption. This check should be done only if a key store
is
involved. But this is bit tricky when it comes to decryption as this
information
( whether an embedded key was used ) is only available while processing the
encrypted elements but the key store is loaded in an earlier stage. But if
we
just remove that check this sample works fine with
encryptionPropFile/decryptionPropFile
attributes removed from the security configuration parameters.
Thanks,
Nandana
Re: ws-security: Encryption using UserToken
Posted by qvall <qv...@o2.pl>.
Thanks Nandana for the link and clarification, I found it really helpful.
However what is still not clear to me is why in that sample there are using
passwordCallbackClass to set key along with
encryptionPropFile/decryptionPropFile
(which eventually points to keystore). Shouldn't keystores be redundant
in symmetric encryption?
--
View this message in context: http://www.nabble.com/ws-security%3A-Encryption-using-UserToken-tp14542558p14547946.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: ws-security: Encryption using UserToken
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi Patrick,
On 12/30/07, qvall <qv...@o2.pl> wrote:
>
>
> Hi,
> I would like to encrypt and sign my requests any responses using WSS4J and
> UserToken
> but can't figure it out how to make it.guess I should play with
> "encryptionKeyIdentifier", "EmbeddedKeyName",
> "encryptionPropFile"
> "encryptionSymAlgorithm" according to other link that works. However i
> still
> don't know how
> to make it. Especially how can i reference UserToken that is generated to
> be
> used to
> signature and encryption ?
I think the Rampart basic sample 9 - [1] which uses the embedded key name
as the encryption key identifier will help you understand the usage.
> is there any way to
> encrypt
> response from server (using x509 Certificates) without knowing client's
> public key in advance?
> I mean in many samples I saw that server's keystore had client's cert. I
> would like to
> avoid it since this requires modifing server with each new client. Does
> "useReqSigCert"
> has something to do it with?
Yes, if we use "useReqSigCert", the certificate used to sign the request
message will
be used to encrypt the response message back to the client. So the
server may either get
the certificate from the key store or extract it from the request. In the
latter case, the server
must be able to verify the trust for the client's certificate.
If you are using policy based configuration of Rampart, you have another
option. You can
use a Symmetric Binding. If you use symmetric binding, then the
client doesn't need to have
a certificate at all to do the encryption and signature.
Thanks,
Nandana
[1] -
https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/modules/rampart-samples/basic/sample09/