You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by pandu <pa...@satyam.com> on 2006/10/04 10:55:18 UTC
Binary Security Token for X509 certificates issue
Hi,
I developed one webservcie application, where client has to use the x509
secuirty token in the soap message. I created the soap message as per the
WSS Security token x509 certificate profile.
SOAP message is digitally signed using my private key.
Once soap message arrives at the server, I need to do authentication using
Digital certificates. So i tried to get the certificate as follows
NodeList list1 = header.getElementsByTagName("Security");
Element x509Element = (Element) list1.item(0);
XMLSignature xmlSignature = new XMLSignature(x509Element, null);
xmlSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
X509Certificate[] certs = null;
KeyInfo info = xmlSignature.getKeyInfo();
Node node = null;
if (info != null)
{
node = WSSecurityUtil.getDirectChild(info.getElement(),
SecurityTokenReference.SECURITY_TOKEN_REFERENCE,WSSE_SEC_NS_URI);
if (node == null)
{
throw new
WSSecurityException(WSSecurityException.INVALID_SECURITY,"unsupportedKeyInfo");
}
SecurityTokenReference secRef = new SecurityTokenReference((Element) node);
}
boolean valid = xmlSignature.checkSignatureValue(pkCert);
if (valid)
System.out.println("Signature is valid.");
else
System.out.println("Signature is not valid.");
return bret;
First question is how to validate the soap message?
Second question is how to get the Binary Secuirty token value which then
will create X509Certificate(How to create this also from binary security
token) Object?
Third is how to do authentication?
When I am trying to fetch the Secuirty Token Reference from the KeyInfo
object, I am gettnig the following error.
Exception in thread "main"
org.apache.xml.security.exceptions.XMLSecurityException: Cannot create a
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd:Security
from a http://www.w3.org/2000/09/xmldsig#:Signature element
at
org.apache.xml.security.utils.ElementProxy.guaranteeThatElementInCorrectSpace(Unknown
Source)
at org.apache.xml.security.utils.ElementProxy.<init>(Unknown Source)
at org.apache.xml.security.utils.SignatureElementProxy.<init>(Unknown
Source)
at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
at client.WSSecSingatureTest.doVerify(WSSecSingatureTest.java:239)
at client.WSSecSingatureTest.main(WSSecSingatureTest.java:191)
Currently we are not using the WSS4J framework. SO I dont need to create the
deployment descriptors like client-config.wssd and server-config.wssd.
i am trynig to do the authentication, validation on the server using
programmatically.
I request your help in fixing this issue.
Regards,
Pandu
--
View this message in context: http://www.nabble.com/Binary-Security-Token-for-X509-certificates-issue-tf2381136.html#a6636040
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Binary Security Token for X509 certificates issue
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Pandu,
On 10/4/06, pandu <pa...@satyam.com> wrote:
>
> Hi,
>
> I developed one webservcie application, where client has to use the x509
> secuirty token in the soap message. I created the soap message as per the
> WSS Security token x509 certificate profile.
> SOAP message is digitally signed using my private key.
>
> Once soap message arrives at the server, I need to do authentication using
> Digital certificates. So i tried to get the certificate as follows
>
> NodeList list1 = header.getElementsByTagName("Security");
> Element x509Element = (Element) list1.item(0);
> XMLSignature xmlSignature = new XMLSignature(x509Element, null);
> xmlSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
> X509Certificate[] certs = null;
> KeyInfo info = xmlSignature.getKeyInfo();
> Node node = null;
> if (info != null)
> {
> node = WSSecurityUtil.getDirectChild(info.getElement(),
> SecurityTokenReference.SECURITY_TOKEN_REFERENCE,WSSE_SEC_NS_URI);
> if (node == null)
> {
> throw new
> WSSecurityException(WSSecurityException.INVALID_SECURITY,"unsupportedKeyInfo");
> }
> SecurityTokenReference secRef = new SecurityTokenReference((Element) node);
> }
>
> boolean valid = xmlSignature.checkSignatureValue(pkCert);
> if (valid)
> System.out.println("Signature is valid.");
> else
> System.out.println("Signature is not valid.");
> return bret;
>
>
> First question is how to validate the soap message?
> Second question is how to get the Binary Secuirty token value which then
> will create X509Certificate(How to create this also from binary security
> token) Object?
Please have a look at the SignatureProcessor we use in WSS4J :
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
> Third is how to do authentication?
To authenticate the user using his/her X.509 cert you will have to
hold the the user's cert information at the service. This simply can
be a keystore with the trusted certs.
Now when you verify signature you can check your trust store at the
service to check whether the signature uses a certificate that you
trust. If you can find a match then you have the user authenticated.
Thanks,
Ruchith
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Binary Security Token for X509 certificates issue
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Pandu,
On 10/4/06, pandu <pa...@satyam.com> wrote:
>
> Hi,
>
> I developed one webservcie application, where client has to use the x509
> secuirty token in the soap message. I created the soap message as per the
> WSS Security token x509 certificate profile.
> SOAP message is digitally signed using my private key.
>
> Once soap message arrives at the server, I need to do authentication using
> Digital certificates. So i tried to get the certificate as follows
>
> NodeList list1 = header.getElementsByTagName("Security");
> Element x509Element = (Element) list1.item(0);
> XMLSignature xmlSignature = new XMLSignature(x509Element, null);
> xmlSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
> X509Certificate[] certs = null;
> KeyInfo info = xmlSignature.getKeyInfo();
> Node node = null;
> if (info != null)
> {
> node = WSSecurityUtil.getDirectChild(info.getElement(),
> SecurityTokenReference.SECURITY_TOKEN_REFERENCE,WSSE_SEC_NS_URI);
> if (node == null)
> {
> throw new
> WSSecurityException(WSSecurityException.INVALID_SECURITY,"unsupportedKeyInfo");
> }
> SecurityTokenReference secRef = new SecurityTokenReference((Element) node);
> }
>
> boolean valid = xmlSignature.checkSignatureValue(pkCert);
> if (valid)
> System.out.println("Signature is valid.");
> else
> System.out.println("Signature is not valid.");
> return bret;
>
>
> First question is how to validate the soap message?
> Second question is how to get the Binary Secuirty token value which then
> will create X509Certificate(How to create this also from binary security
> token) Object?
Please have a look at the SignatureProcessor we use in WSS4J :
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
> Third is how to do authentication?
To authenticate the user using his/her X.509 cert you will have to
hold the the user's cert information at the service. This simply can
be a keystore with the trusted certs.
Now when you verify signature you can check your trust store at the
service to check whether the signature uses a certificate that you
trust. If you can find a match then you have the user authenticated.
Thanks,
Ruchith
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org