Re: CXF WSS example

[Ashwin Karpe]

Hi Lukasz,

The signature is used in order to verify/decrypt the signature placed on the
payload by the sender. The encrytion is what is used in order to encrypt the
payload on its way out of the door.

I am not quite sure what you mean by one-way signature...???

If you are planning not to use encryption then the alternative is to use
UsernameToken then you can use the following in the cxf-bc consumer

  <!-- Inbound WS-Security based Interceptor -->
   <bean
        class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
        id="UsernameToken_Request">
        <constructor-arg>
            <map>
                <!-- Use this action order for local clients -->
                <entry key="action" value="UsernameToken"/>
                <entry key="signaturePropFile" value="alice.properties"/>
                <entry key="decryptionPropFile" value="bob.properties"/>
                <entry key="passwordCallbackClass"
value="my_security.KeystorePasswordCallback"/>
            </map>
        </constructor-arg>
    </bean>

  <!-- Outbound WS-Security based Interceptor -->
    <bean
        class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
        id="UsernameToken_Response">
        <constructor-arg>
            <map>
                <entry key="action" value="UsernameToken"/>
                <entry key="user" value="bob"/>
                <entry key="signaturePropFile" value="bob.properties"/>
                <entry key="encryptionPropFile" value="alice.properties"/>
                <entry key="encryptionUser" value="Alice"/>
                <entry key="signatureKeyIdentifier"
value="DirectReference"/>
                <entry key="passwordCallbackClass"
value="my_security.KeystorePasswordCallback"/>
            </map>
        </constructor-arg>
    </bean>

Note that you will need to write the my_security.KeystorePassword Callback
to do the check on whether the keys match...

Cheers,

Ashwin...


Hi,
thank you for your response but I still don't understand a few things,
especially what do you mean by "The cxf-bc consumer then uses
alice.properties (signaturePropFile) to validate against information in
bob.properties (encryptionPropFile)." aren't signature and encryption
separate machanisms?

In the example there's both encryption and signature used in both directiosn
so both client and server need to have two keys: its own private and other
side's public,
so how they are located in alice.jks and bob.jks?

And I'm thinking only about singature without encrypting content,
in such case the client should have its private key and the server should
have matching public key to verify that that's the real client,
is that enough to implement one-way signature?


-----
--- 
Ashwin Karpe, Principal Consultant, PS - Opensource Center of Competence 
Progress Software Corporation
14 Oak Park Drive
Bedford, MA 01730
--- 
+1-972-304-9084 (Office) 
+1-972-971-1700 (Mobile) 
---- 
Blog: http://opensourceknowledge.blogspot.com/


-- 
View this message in context: 
http://www.nabble.com/CXF-WSS-example-tp20857457p20870171.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.