Re: CXF Webservice Security

Glen Mazza Mon, 05 Mar 2012 05:44:31 -0800

Oops.  I stand corrected on #3.  :)

On 03/05/2012 05:13 AM, Colm O hEigeartaigh wrote:

3) If I do not mention signatureParts, encryptionParts,
encryptionSymAlgorithm properties in interceptors, what are the default
algorithms used or *which algorithm is your suggestion* ? (If you could
point me to any tutorial, that will be great. Thanks)

Here are the default values:


signatureParts - The SOAP Body is signed (if the signature action is specified)
encryptionParts - The SOAP Body is encrypted (if the encryption action
is specified)
encryptionSymAlgorithm - AES-128

You might find the following page useful:

http://ws.apache.org/wss4j/config.html

Colm.


On Fri, Mar 2, 2012 at 5:22 PM, Glen Mazza<[email protected]>  wrote:

On 03/02/2012 12:02 PM, kumarasamyr wrote:

I have few questions here,


1) *I do not see any changes in WSDL (generated from IE) after adding
security(Signature,Encrypt)*. Because How webservice consumer knows about
the security(in my case, there are BPM and .net consumers)?


None of the tools create Policy statements for you.  You either have a WSDL
with WS-Policy already in place (created manually or with help from NetBeans
-- see the Metro security articles #13, #15 on my blog[1]), or if you don't
wish to use WS-Policy, then you use the interceptor approach.


2) Is there any *free *alternatives available for  bcprov-jdk15-146.jar
(BouncyCastle encryption library)? - Just for knowledge

I thought BC is free:  http://www.bouncycastle.org/licence.html.  But I'm
unsure if you need it anyway -- IIRC that's only if the cryptographic
algorithms already provided by the JDK are not what you want.

3) If I do not mention signatureParts, encryptionParts,
encryptionSymAlgorithm properties in interceptors, what are the default
algorithms used or *which algorithm is your suggestion* ? (If you could
point me to any tutorial, that will be great. Thanks)


Nothing should get encrypted/signed in that case.  If you don't have
specific encryption requirements (i.e., if you have to ask us), you might
consider just encrypting the SOAP calls using SSL (i.e., using simpler
transport- instead of message-layer encryption without need for Policy
statements) see article #11 of [1].


[1] http://www.jroller.com/gmazza/entry/blog_article_index


4) How do I log the original request and response(request and response
without encryption) when I use security encryption? atleast I want in
server
side for debugging.


https://cwiki.apache.org/CXF20DOC/debugging-and-logging.html should take
care of you.

HTH,
Glen


Thanks,
Kumar

--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-Webservice-Security-tp5531555p5531555.html
Sent from the cxf-user mailing list archive at Nabble.com.



--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza



--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Re: CXF Webservice Security

Reply via email to