I need to migrate a SOAP-WS web service hosted on the Metro web service
stack, version 2.2.1.1 to Apache CXF 3.1.6. I'm trying to determine
where some of the facilities I've used in Metro for WS-Security using
X509 certs have equivalents in Apache CXF and so far, I'm coming up short.
Specifics:
We sign our outgoing client packets with an X.509 cert, and the server
on the other end validates that signature, thanks to the WS-Security
libraries in the web service runtime. I have a requirement to audit the
CN of the certificate used to sign the incoming request which means I
need to pull that out in the application itself.
-------------------------------
With Metro I was able to get the CN out this way
In the class annotated with @WebService(endpointInterface=foo)
I had an instance variable annotated like this
@Resource
private WebServiceContext wsContext;
in my application code, I ended up doing this, at the high level
import com.sun.xml.wss.SubjectAccessor;
//from webservices-rt-2.2.1-1.jar
...
Subject subj =
SubjectAccessor.getRequesterSubject(wsContext.getMessageContext());
...
Set<X509Certificate> creds = s
ubj.getPublicCredentials(java.security.cert.X509Certificate.class);
// am able to make some assumptions about which cred in the set
is the signing one
---------------
Alas...I'm not seeing anything as straightforward as the SubjectAccessor
class in Apache CXF thus far.
Went to my usual go-to place, the totally awesome Glen Mazza web
service blog, and seeing this
https://web-gmazza.rhcloud.com/blog/entry/cxf-x509-profile. Of course,
that entry is almost 4 years old and things might well have changed for
Apache CXF 3.1.6. In any case, it doesn't look quite as easy as the
SubjectAccessor class
I've checked out the CXF git rep and am wandering through the systests
to see if I can find the example that will show me how best to do this.
If there is an easy way to have the web service retrieve the CN of the
signing certificate used in the Web service client, I'd be grateful if
someone could point me in the general direction.
========
Platform:
I will be hosting this service on a RHEL7 host/Tomcat7/Java 8, and I can
modify the WSDL to have different WS-SecurityPolicy statements in it, if
need be.
Using Guice 3.0 as our dependency injection framework and really don't
want to bring Spring in if I don't have to.
Thanks in advance.
SL