Glen I think it's going to depend a lot on how your nodes are
architected. For example, if your intermediate is not co-located with
your target, but it needs access to the encrypted payload for any
reason (for example, just to make it far enough through the CXF
interceptor chain), then you are going to be up the creek without the
private key needed to decrypt the message. Questions like this have
been coming up a lot in the WSS4J list, and my first inclination is to
steer the user away from Axis or CXF for their intermediates, and
instead use something like Camel, which would allow you to process
only the parts of the message you care about.
If your intermediate and target entities are essentially co-located,
then you could probably chain the WSS4JInInterceptors in the way you
suggest, though I haven't done this myself. I have chained calls to
the low-level WSS4J APIs, though, and I'm fairly certain that works,
though you'd need to split your wss:Security headers using distinct
actor attributes, so that WSS4J will process only the headers targeted
for a specific entity.
-Fred
On Sep 8, 2008, at 6:23 PM, Glen Mazza wrote:
Hello, I'm not sure how important a use case this is, but does CXF
have the
ability to encrypt the soap:header differently from the soap:body?
Perhaps
a typical example might be accessing bank account information--an
intermediary node (with its own private key) could be used to check
the SAML
or other security token specified in the soap:header while the
business
service (with a different private key) could decrypt the actual bank
account
information in the soap:body. In this case, the client would need to
encrypt the soap:header and soap:body with different public keys for
this
system to work.
I would guess a way to implement this would be to configure two
WSS4JOutInterceptors[1], specifying different encryptionParts (one for
header, one for body)--would that be workable? If necessary, I can
add a
JIRA enhancement request for this.
I think I'll ask the same question on the Metro list for this.
Regards,
Glen
[1]
http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the#PKICXF5
(Step 5, substep 1)
--
View this message in context:
http://www.nabble.com/Can-CXF-encrypt-the-soap%3Aheader-and-soap%3Abody-with-different-keys--tp19382497p19382497.html
Sent from the cxf-dev mailing list archive at Nabble.com.