Glen I think it's going to depend a lot on how your nodes are architected. For example, if your intermediate is not co-located with your target, but it needs access to the encrypted payload for any reason (for example, just to make it far enough through the CXF interceptor chain), then you are going to be up the creek without the private key needed to decrypt the message. Questions like this have been coming up a lot in the WSS4J list, and my first inclination is to steer the user away from Axis or CXF for their intermediates, and instead use something like Camel, which would allow you to process only the parts of the message you care about.

If your intermediate and target entities are essentially co-located, then you could probably chain the WSS4JInInterceptors in the way you suggest, though I haven't done this myself. I have chained calls to the low-level WSS4J APIs, though, and I'm fairly certain that works, though you'd need to split your wss:Security headers using distinct actor attributes, so that WSS4J will process only the headers targeted for a specific entity.

-Fred

On Sep 8, 2008, at 6:23 PM, Glen Mazza wrote:


Hello, I'm not sure how important a use case this is, but does CXF have the ability to encrypt the soap:header differently from the soap:body? Perhaps
a typical example might be accessing bank account information--an
intermediary node (with its own private key) could be used to check the SAML or other security token specified in the soap:header while the business service (with a different private key) could decrypt the actual bank account
information in the soap:body.  In this case, the client would need to
encrypt the soap:header and soap:body with different public keys for this
system to work.

I would guess a way to implement this would be to configure two
WSS4JOutInterceptors[1], specifying different encryptionParts (one for
header, one for body)--would that be workable? If necessary, I can add a
JIRA enhancement request for this.

I think I'll ask the same question on the Metro list for this.

Regards,
Glen

[1]
http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the#PKICXF5
(Step 5, substep 1)

--
View this message in context: 
http://www.nabble.com/Can-CXF-encrypt-the-soap%3Aheader-and-soap%3Abody-with-different-keys--tp19382497p19382497.html
Sent from the cxf-dev mailing list archive at Nabble.com.



Reply via email to